CAPEC™

Summary

Common Attack Pattern Enumeration and Classification helps by providing a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers and educators to advance community understanding and enhance defenses. The version used in this section is CAPEC List v3.9.

Definitions

Definition	Requirements
1. Accessing functionality not properly constrained by ACLs	096. Set user's required privileges 264. Request authentication
2. Inducing account lockout	226. Avoid account lockouts
3. Using leading 'ghost' character sequences to bypass input filters	173. Discard unsafe inputs
4. Using alternative IP address encodings	173. Discard unsafe inputs
6. Argument injection	173. Discard unsafe inputs 342. Validate request parameters
7. Blind SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
11. Cause web server misclassification	037. Parameters without sensitive data 040. Compare file format and extension 320. Avoid client-side control enforcement
12. Choosing message identifier	181. Transmit data using secure protocols
13. Subverting environment variable values	046. Manage the integrity of critical files 265. Restrict access to critical processes
15. Command delimiters	173. Discard unsafe inputs
16. Dictionary-based password attack	332. Prevent the use of breached passwords
17. Using malicious files	041. Scan files for malicious code 186. Use the principle of least privilege
18. XSS targeting non-script elements	160. Encode system outputs 173. Discard unsafe inputs
19. Embedding scripts within scripts	050. Control calls to interpreted code 160. Encode system outputs 173. Discard unsafe inputs 340. Use octet stream downloads 344. Avoid dynamic code execution 349. Include HTTP security headers
20. Encryption brute forcing	147. Use pre-existent mechanisms 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 370. Use OAEP padding with RSA 371. Use GCM Padding with AES
21. Exploitation of trusted identifiers	174. Transactions without a distinguishable pattern 178. Use digital signatures
22. Exploiting trust in client	173. Discard unsafe inputs 178. Use digital signatures 320. Avoid client-side control enforcement
23. File content injection	041. Scan files for malicious code 046. Manage the integrity of critical files 186. Use the principle of least privilege
24. Filter failure through buffer overflow	173. Discard unsafe inputs 345. Establish protections against overflows
25. Forced deadlock	337. Make critical logic flows thread safe
26. Leveraging race conditions	337. Make critical logic flows thread safe
27. Leveraging race conditions via symbolic links	186. Use the principle of least privilege 337. Make critical logic flows thread safe
28. Fuzzing	320. Avoid client-side control enforcement
29. Leveraging time-of-check and time-of-use (TOCTOU) race conditions	337. Make critical logic flows thread safe
30. Hijacking a privileged thread of execution	337. Make critical logic flows thread safe
31. Accessing/Intercepting/Modifying HTTP cookies	029. Cookies with security attributes 174. Transactions without a distinguishable pattern 181. Transmit data using secure protocols 342. Validate request parameters 349. Include HTTP security headers
32. XSS through HTTP query strings	160. Encode system outputs 173. Discard unsafe inputs 342. Validate request parameters 349. Include HTTP security headers
33. HTTP request smuggling	348. Use consistent encoding
34. HTTP response splitting	173. Discard unsafe inputs 320. Avoid client-side control enforcement
35. Leverage executable code in non-executable files	046. Manage the integrity of critical files 186. Use the principle of least privilege
36. Using unpublished interfaces	264. Request authentication
38. Leveraging/Manipulating configuration file search paths	046. Manage the integrity of critical files
39. Manipulating opaque client-based data tokens	026. Encrypt client-side session information 320. Avoid client-side control enforcement 328. Request MFA for critical systems
41. Using meta-characters in e-mail headers to inject malicious payloads	115. Filter malicious emails 173. Discard unsafe inputs
42. MIME conversion	262. Verify third-party components
43. Exploiting multiple input interpretation layers	348. Use consistent encoding
48. Passing local filenames to functions that expect a URL	160. Encode system outputs 173. Discard unsafe inputs
49. Password brute forcing	130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 237. Ascertain human interaction 327. Set a rate limit
60. Reusing session IDs (aka session replay)	030. Avoid object reutilization
70. Try common usernames and passwords	142. Change system default credentials
74. Manipulating state	026. Encrypt client-side session information 328. Request MFA for critical systems 329. Keep client-side storage without sensitive data
94. Adversary in the middle (AiTM)	092. Use externally signed certificates 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 373. Use certificate pinning
113. Interface manipulation	078. Disable debugging events 154. Eliminate backdoors
114. Authentication abuse	232. Require equipment identity 319. Make authentication options equally secure
115. Authentication bypass	154. Eliminate backdoors 222. Deny access to the host essential 228. Authenticate using standard protocols 264. Request authentication 319. Make authentication options equally secure
116. Excavation	077. Avoid disclosing technical information 078. Disable debugging events 261. Avoid exposing sensitive information 325. Protect WSDL files 339. Avoid storing sensitive files in the web root 365. Avoid exposing technical information
117. Interception	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
122. Privilege abuse	095. Define users with privileges 096. Set user's required privileges 186. Use the principle of least privilege 265. Restrict access to critical processes 280. Restrict service root directory 341. Use the principle of deny by default
123. Buffer manipulation	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows 350. Enable memory protection mechanisms
124. Shared resource manipulation	337. Make critical logic flows thread safe 374. Use of isolation methods in running applications
125. Flooding	062. Define standard configurations 072. Set maximum response time 327. Set a rate limit
129. Pointer manipulation	157. Use the strict mode 158. Use a secure programming language
130. Excessive allocation	062. Define standard configurations 072. Set maximum response time 157. Use the strict mode 160. Encode system outputs 173. Discard unsafe inputs 321. Avoid deserializing untrusted data 327. Set a rate limit
131. Resource leak exposure	158. Use a secure programming language
137. Parameter injection	173. Discard unsafe inputs 342. Validate request parameters
148. Content spoofing	178. Use digital signatures 181. Transmit data using secure protocols 330. Verify Subresource Integrity
151. Identity spoofing	062. Define standard configurations 224. Use secure cryptographic mechanisms 319. Make authentication options equally secure
153. Input data manipulation	037. Parameters without sensitive data 160. Encode system outputs 173. Discard unsafe inputs 186. Use the principle of least privilege 320. Avoid client-side control enforcement 321. Avoid deserializing untrusted data 342. Validate request parameters 345. Establish protections against overflows 348. Use consistent encoding
154. Resource location spoofing	046. Manage the integrity of critical files 050. Control calls to interpreted code 330. Verify Subresource Integrity
155. Screen temporary files for sensitive information	036. Do not deploy temporary files
161. Infrastructure manipulation	062. Define standard configurations 080. Prevent log modification 266. Disable insecure functionalities 324. Control redirects 349. Include HTTP security headers
165. File manipulation	037. Parameters without sensitive data 040. Compare file format and extension 041. Scan files for malicious code 042. Validate file format 330. Verify Subresource Integrity 340. Use octet stream downloads
169. Footprinting	273. Define a fixed security suite
173. Action spoofing	349. Include HTTP security headers
175. Code inclusion	037. Parameters without sensitive data 050. Control calls to interpreted code 173. Discard unsafe inputs
176. Configuration/Environment manipulation	046. Manage the integrity of critical files 186. Use the principle of least privilege
188. Reverse engineering	159. Obfuscate code
212. Functionality misuse	226. Avoid account lockouts 266. Disable insecure functionalities 336. Disable insecure TLS versions
216. Communication channel manipulation	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
224. Fingerprinting	077. Avoid disclosing technical information 325. Protect WSDL files 365. Avoid exposing technical information
227. Sustained client engagement	023. Terminate inactive user sessions 025. Manage concurrent sessions
233. Privilege escalation	035. Manage privilege modifications 095. Define users with privileges 186. Use the principle of least privilege 337. Make critical logic flows thread safe 341. Use the principle of deny by default
240. Resource injection	160. Encode system outputs 173. Discard unsafe inputs 262. Verify third-party components
242. Code injection	043. Define an explicit content type 044. Define an explicit charset 050. Control calls to interpreted code 117. Do not interpret HTML code 160. Encode system outputs 173. Discard unsafe inputs 262. Verify third-party components 344. Avoid dynamic code execution
248. Command injection	160. Encode system outputs 169. Use parameterized queries 173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution
272. Protocol manipulation	224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
438. Modification during manufacture	154. Eliminate backdoors 155. Application free of malicious code
442. Infected software	273. Define a fixed security suite
475. Signature spoofing by improper validation	093. Use consistent certificates
549. Local execution of code	041. Scan files for malicious code 273. Define a fixed security suite
554. Functionality bypass	154. Eliminate backdoors
560. Use of known domain credentials	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 142. Change system default credentials 332. Prevent the use of breached passwords
586. Object injection	321. Avoid deserializing untrusted data
594. Traffic injection	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
613. WiFi SSID tracking	247. Hide SSID on private networks 248. SSID without dictionary words 254. Change SSID name
619. Signal strength tracking	249. Locate access points
654. Credential Prompt Impersonation	122. Validate credential ownership
676. NoSQL Injection	173. Discard unsafe inputs 273. Define a fixed security suite
677. Server Motherboard Compromise	266. Disable insecure functionalities
678. System Build Data Maliciously Altered	266. Disable insecure functionalities
679. Exploitation of Improperly Configured or Implemented Memory Protections	350. Enable memory protection mechanisms
680. Exploitation of Improperly Controlled Registers	176. Restrict system objects
681. Exploitation of Improperly Controlled Hardware Security Identifiers	352. Enable trusted execution
682. Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities	262. Verify third-party components
690. Metadata Spoofing	035. Manage privilege modifications 096. Set user's required privileges 173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 320. Avoid client-side control enforcement
691. Spoof Open-Source Software Metadata	173. Discard unsafe inputs 176. Restrict system objects 262. Verify third-party components
692. Spoof Version Control System Commit Metadata	173. Discard unsafe inputs 176. Restrict system objects 262. Verify third-party components
693. StarJacking	262. Verify third-party components
694. System Location Discovery	185. Encrypt sensitive information 300. Mask sensitive data
695. Repo Jacking	262. Verify third-party components
697. DHCP Spoofing	062. Define standard configurations 273. Define a fixed security suite
698. Install Malicious Extension	262. Verify third-party components
700. Network Boundary Bridging	253. Restrict network access 255. Allow access only to the necessary ports 259. Segment the organization network
701. Browser in the Middle (BiTM)	262. Verify third-party components 266. Disable insecure functionalities

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

CAPEC™ | Compliance | Fluid Attacks Help

CAPEC™

Summary

Definitions