New to CAPEC? Start Here
Home > CAPEC List > Reports > Differences between 3.3 and 3.4 Content  

Differences between 3.3 and 3.4 Content

Summary

Total (3.4) (not including Deprecated) 553
Total (3.3) (not including Deprecated) 582
Attack Patterns
New Patterns Added 4
Existing Patterns Modified with Enhanced Material 181
Patterns Deprecated 1
Categories
Existing Categories Modified with Enhanced Material 1
Categories Deprecated 34
Views
Views Added 2
Existing Views Modified with Enhanced Material 1
CAPEC -> CWE Mappings
CAPEC -> CWE Mappings Added 43
CAPEC -> CWE Mappings Removed 3
CAPEC -> CAPEC Mappings
CAPEC -> CAPEC Mappings Added 35
CAPEC -> CAPEC Mappings Removed 112

Summary of Entry Types

Type 3.3 3.4
Views 9 11
Categories 49 15
Attack Patterns 524 527
Deprecated 76 111

Back to top

Attack Pattern Changes

New Patterns Added
CAPEC-656 Voice Phishing
CAPEC-657 Malicious Automated Software Update via Spoofing
CAPEC-660 Root/Jailbreak Detection Evasion via Hooking
CAPEC-661 Root/Jailbreak Detection Evasion via Debugging

Existing Patterns Modified with Enhanced Material
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-7 Blind SQL Injection
CAPEC-10 Buffer Overflow via Environment Variables
CAPEC-13 Subverting Environment Variable Values
CAPEC-16 Dictionary-based Password Attack
CAPEC-17 Using Malicious Files
CAPEC-21 Exploitation of Trusted Identifiers
CAPEC-23 File Content Injection
CAPEC-25 Forced Deadlock
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-32 XSS Through HTTP Query Strings
CAPEC-33 HTTP Request Smuggling
CAPEC-34 HTTP Response Splitting
CAPEC-37 Retrieve Embedded Sensitive Data
CAPEC-44 Overflow Binary Resource File
CAPEC-48 Passing Local Filenames to Functions That Expect a URL
CAPEC-49 Password Brute Forcing
CAPEC-50 Password Recovery Exploitation
CAPEC-52 Embedding NULL Bytes
CAPEC-55 Rainbow Table Password Cracking
CAPEC-58 Restful Privilege Elevation
CAPEC-59 Session Credential Falsification through Prediction
CAPEC-61 Session Fixation
CAPEC-62 Cross Site Request Forgery
CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-66 SQL Injection
CAPEC-67 String Format Overflow in syslog()
CAPEC-68 Subvert Code-signing Facilities
CAPEC-70 Try Common or Default Usernames and Passwords
CAPEC-71 Using Unicode Encoding to Bypass Validation Logic
CAPEC-77 Manipulating User-Controlled Variables
CAPEC-83 XPath Injection
CAPEC-84 XQuery Injection
CAPEC-85 AJAX Footprinting
CAPEC-86 XSS Through HTTP Headers
CAPEC-87 Forceful Browsing
CAPEC-88 OS Command Injection
CAPEC-89 Pharming
CAPEC-90 Reflection Attack in Authentication Protocol
CAPEC-92 Forced Integer Overflow
CAPEC-94 Man in the Middle Attack
CAPEC-97 Cryptanalysis
CAPEC-98 Phishing
CAPEC-100 Overflow Buffers
CAPEC-101 Server Side Include (SSI) Injection
CAPEC-103 Clickjacking
CAPEC-105 HTTP Request Splitting
CAPEC-107 Cross Site Tracing
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CAPEC-112 Brute Force
CAPEC-113 Interface Manipulation
CAPEC-115 Authentication Bypass
CAPEC-116 Excavation
CAPEC-121 Exploit Non-Production Interfaces
CAPEC-122 Privilege Abuse
CAPEC-124 Shared Resource Manipulation
CAPEC-125 Flooding
CAPEC-126 Path Traversal
CAPEC-130 Excessive Allocation
CAPEC-131 Resource Leak Exposure
CAPEC-134 Email Injection
CAPEC-135 Format String Injection
CAPEC-136 LDAP Injection
CAPEC-139 Relative Path Traversal
CAPEC-141 Cache Poisoning
CAPEC-148 Content Spoofing
CAPEC-149 Explore for Predictable Temporary File Names
CAPEC-150 Collect Data from Common Resource Locations
CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-157 Sniffing Attacks
CAPEC-159 Redirect Access to Libraries
CAPEC-163 Spear Phishing
CAPEC-164 Mobile Phishing
CAPEC-166 Force the System to Reset Values
CAPEC-167 White Box Reverse Engineering
CAPEC-168 Windows ::DATA Alternate Data Stream
CAPEC-169 Footprinting
CAPEC-173 Action Spoofing
CAPEC-176 Configuration/Environment Manipulation
CAPEC-178 Cross-Site Flashing
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-183 IMAP/SMTP Command Injection
CAPEC-185 Malicious Software Download
CAPEC-186 Malicious Software Update
CAPEC-187 Malicious Automated Software Update via Redirection
CAPEC-193 PHP Remote File Inclusion
CAPEC-194 Fake the Source of Data
CAPEC-197 XML Entity Expansion
CAPEC-201 Serialized Data External Linking
CAPEC-206 Signing Malicious Code
CAPEC-209 XSS Using MIME Type Mismatch
CAPEC-215 Fuzzing for application mapping
CAPEC-219 XML Routing Detour Attacks
CAPEC-221 Data Serialization External Entities Blowup
CAPEC-224 Fingerprinting
CAPEC-227 Sustained Client Engagement
CAPEC-228 DTD Injection
CAPEC-229 Serialized Data Parameter Blowup
CAPEC-231 Oversized Serialized Data Payloads
CAPEC-233 Privilege Escalation
CAPEC-237 Escaping a Sandbox by Calling Code in Another Language
CAPEC-240 Resource Injection
CAPEC-242 Code Injection
CAPEC-248 Command Injection
CAPEC-250 XML Injection
CAPEC-251 Local Code Inclusion
CAPEC-252 PHP Local File Inclusion
CAPEC-253 Remote Code Inclusion
CAPEC-256 SOAP Array Overflow
CAPEC-261 Fuzzing for garnering other adjacent user/sensitive data
CAPEC-267 Leverage Alternate Encoding
CAPEC-268 Audit Log Manipulation
CAPEC-273 HTTP Response Smuggling
CAPEC-275 DNS Rebinding
CAPEC-279 SOAP Manipulation
CAPEC-287 TCP SYN Scan
CAPEC-292 Host Discovery
CAPEC-300 Port Scanning
CAPEC-301 TCP Connect Scan
CAPEC-302 TCP FIN Scan
CAPEC-303 TCP Xmas Scan
CAPEC-304 TCP Null Scan
CAPEC-305 TCP ACK Scan
CAPEC-306 TCP Window Scan
CAPEC-307 TCP RPC Scan
CAPEC-308 UDP Scan
CAPEC-309 Network Topology Mapping
CAPEC-383 Harvesting Information via API Event Monitoring
CAPEC-406 Dumpster Diving
CAPEC-407 Pretexting
CAPEC-422 Influence Perception of Commitment and Consistency
CAPEC-425 Target Influence via Framing
CAPEC-459 Creating a Rogue Certification Authority Certificate
CAPEC-460 HTTP Parameter Pollution (HPP)
CAPEC-461 Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
CAPEC-462 Cross-Domain Search Timing
CAPEC-463 Padding Oracle Crypto Attack
CAPEC-464 Evercookie
CAPEC-465 Transparent Proxy Abuse
CAPEC-466 Leveraging Active Man in the Middle Attacks to Bypass Same Origin Policy
CAPEC-467 Cross Site Identification
CAPEC-468 Generic Cross-Browser Cross-Domain Theft
CAPEC-469 HTTP DoS
CAPEC-470 Expanding Control over the Operating System from the Database
CAPEC-471 Search Order Hijacking
CAPEC-474 Signature Spoofing by Key Theft
CAPEC-480 Escaping Virtualization
CAPEC-486 UDP Flood
CAPEC-491 XML Quadratic Expansion
CAPEC-492 Regular Expression Exponential Blowup
CAPEC-497 File Discovery
CAPEC-499 Android Intent Intercept
CAPEC-501 Android Activity Hijack
CAPEC-505 Scheme Squatting
CAPEC-509 Kerberoasting
CAPEC-536 Data Injected During Configuration
CAPEC-537 Infiltration of Hardware Development Environment
CAPEC-543 Counterfeit Websites
CAPEC-545 Pull Data from System Resources
CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-564 Run Software at Logon
CAPEC-565 Password Spraying
CAPEC-568 Capture Credentials via Keylogger
CAPEC-580 System Footprinting
CAPEC-584 BGP Route Disabling
CAPEC-586 Object Injection
CAPEC-587 Cross Frame Scripting (XFS)
CAPEC-588 DOM-Based XSS
CAPEC-589 DNS Blocking
CAPEC-591 Reflected XSS
CAPEC-592 Stored XSS
CAPEC-593 Session Hijacking
CAPEC-600 Credential Stuffing
CAPEC-611 BitSquatting
CAPEC-624 Hardware Fault Injection
CAPEC-630 TypoSquatting
CAPEC-631 SoundSquatting
CAPEC-632 Homograph Attack via Homoglyphs
CAPEC-642 Replace Binaries
CAPEC-650 Upload a Web Shell to a Web Server
CAPEC-652 Use of Known Kerberos Credentials

Patterns Deprecated
CAPEC-214 DEPRECATED: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
Back to top

Category Changes

New Categories Added

Existing Categories Modified with Enhanced Material
CAPEC-210 Abuse Existing Functionality

Categories Deprecated
CAPEC-336 DEPRECATED: WASC-03 - Integer Overflows
CAPEC-338 DEPRECATED: WASC-05 - Remote File Inclusion
CAPEC-339 DEPRECATED: WASC-06 - Format String
CAPEC-340 DEPRECATED: WASC-07 - Buffer Overflow
CAPEC-341 DEPRECATED: WASC-08 - Cross-Site Scripting
CAPEC-342 DEPRECATED: WASC-09 - Cross-Site Request Forgery
CAPEC-343 DEPRECATED: WASC-10 - Denial of Service
CAPEC-344 DEPRECATED: WASC-11 - Brute Force
CAPEC-345 DEPRECATED: WASC-12 - Content Spoofing
CAPEC-351 DEPRECATED: WASC-18 - Credential/Session Prediction
CAPEC-352 DEPRECATED: WASC-19 - SQL Injection
CAPEC-356 DEPRECATED: WASC-23 - XML Injection
CAPEC-357 DEPRECATED: WASC-24 - HTTP Request Splitting
CAPEC-358 DEPRECATED: WASC-25 - HTTP Response Splitting
CAPEC-359 DEPRECATED: WASC-26 - HTTP Request Smuggling
CAPEC-360 DEPRECATED: WASC-27 - HTTP Response Smuggling
CAPEC-361 DEPRECATED: WASC-28 - Null Byte Injection
CAPEC-362 DEPRECATED: WASC-29 - LDAP Injection
CAPEC-363 DEPRECATED: WASC-30 - Mail Command Injection
CAPEC-364 DEPRECATED: WASC-31 - OS Commanding
CAPEC-365 DEPRECATED: WASC-32 - Routing Detour
CAPEC-366 DEPRECATED: WASC-33 - Path Traversal
CAPEC-367 DEPRECATED: WASC-34 - Predictable Resource Location
CAPEC-368 DEPRECATED: WASC-35 - SOAP Array Abuse
CAPEC-369 DEPRECATED: WASC-36 - SSI Injection
CAPEC-370 DEPRECATED: WASC-37 - Session Fixation
CAPEC-371 DEPRECATED: WASC-38 - URL Redirector Abuse
CAPEC-372 DEPRECATED: WASC-39 - XPath Injection
CAPEC-374 DEPRECATED: WASC-41 - XML Attribute Blowup
CAPEC-375 DEPRECATED: WASC-42 - Abuse of Functionality
CAPEC-376 DEPRECATED: WASC-43 - XML External Entities
CAPEC-377 DEPRECATED: WASC-44 - XML Entity Expansion
CAPEC-378 DEPRECATED: WASC-45 - Fingerprinting
CAPEC-379 DEPRECATED: WASC-46 - XQuery Injection
Back to top

View Changes

Views Added
CAPEC-658 ATT&CK Related Patterns
CAPEC-659 OWASP Related Patterns

Existing Views Modified with Enhanced Material
CAPEC-333 WASC Threat Classification 2.0

Views Deprecated
Back to top

Mapping Changes

CAPEC --> CWE Mappings Added
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
  --> CWE-1311 Improper Translation of Security Attributes by Fabric Bridge
  --> CWE-1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
  --> CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime
  --> CWE-1314 Missing Write Protection for Parametric Data Values
  --> CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point
  --> CWE-1318 Missing Support for Security Features in On-chip Fabrics or Buses
  --> CWE-1320 Improper Protection for Out of Bounds Signal Level Alerts
  --> CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  --> CWE-1326 Missing Immutable Root of Trust in Hardware
  --> CWE-1327 Binding to an Unrestricted IP Address
CAPEC-25 Forced Deadlock
  --> CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context
CAPEC-37 Retrieve Embedded Sensitive Data
  --> CWE-1330 Remanent Data Readable after Memory Erase
CAPEC-68 Subvert Code-signing Facilities
  --> CWE-1326 Missing Immutable Root of Trust in Hardware
CAPEC-77 Manipulating User-Controlled Variables
  --> CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CAPEC-113 Interface Manipulation
  --> CWE-1192 System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
CAPEC-121 Exploit Non-Production Interfaces
  --> CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime
CAPEC-122 Privilege Abuse
  --> CWE-1317 Missing Security Checks in Fabric Bridge
CAPEC-124 Shared Resource Manipulation
  --> CWE-1331 Improper Isolation of Shared Resources in Network On Chip
CAPEC-130 Excessive Allocation
  --> CWE-1325 Improperly Controlled Sequential Memory Allocation
CAPEC-150 Collect Data from Common Resource Locations
  --> CWE-1323 Improper Management of Sensitive Trace Data
  --> CWE-1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
  --> CWE-1330 Remanent Data Readable after Memory Erase
CAPEC-167 White Box Reverse Engineering
  --> CWE-1323 Improper Management of Sensitive Trace Data
  --> CWE-1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
  --> CWE-1311 Improper Translation of Security Attributes by Fabric Bridge
  --> CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime
  --> CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point
  --> CWE-1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
  --> CWE-1318 Missing Support for Security Features in On-chip Fabrics or Buses
  --> CWE-1320 Improper Protection for Out of Bounds Signal Level Alerts
  --> CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  --> CWE-1326 Missing Immutable Root of Trust in Hardware
CAPEC-215 Fuzzing for application mapping
  --> CWE-388 7PK - Errors
CAPEC-233 Privilege Escalation
  --> CWE-1311 Improper Translation of Security Attributes by Fabric Bridge
CAPEC-545 Pull Data from System Resources
  --> CWE-1323 Improper Management of Sensitive Trace Data
  --> CWE-1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
  --> CWE-1330 Remanent Data Readable after Memory Erase
CAPEC-624 Hardware Fault Injection
  --> CWE-1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
  --> CWE-1332 Insufficient Protection Against Instruction Skipping Via Fault Injection
  --> CWE-1334 Unauthorized Error Injection Can Degrade Hardware Redundancy
CAPEC-657 Malicious Automated Software Update via Spoofing
  --> CWE-494 Download of Code Without Integrity Check
CAPEC-660 Root/Jailbreak Detection Evasion via Hooking
  --> CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CAPEC-661 Root/Jailbreak Detection Evasion via Debugging
  --> CWE-489 Active Debug Code

CAPEC --> CWE Mappings Removed
CAPEC-214 Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
  --> CWE-209 Generation of Error Message Containing Sensitive Information
  --> CWE-388 7PK - Errors
CAPEC-537 Infiltration of Hardware Development Environment
  --> CWE-125 Out-of-bounds Read

CAPEC --> CAPEC Mappings Added
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CanPrecede   --> CAPEC-17 Using Malicious Files
CAPEC-16 Dictionary-based Password Attack
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-17 Using Malicious Files
Has Child   --> CAPEC-122 Privilege Abuse
CAPEC-32 XSS Through HTTP Query Strings
Has Child   --> CAPEC-592 Stored XSS
CAPEC-49 Password Brute Forcing
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-50 Password Recovery Exploitation
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-55 Rainbow Table Password Cracking
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-58 Restful Privilege Elevation
Has Child   --> CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-63 Cross-Site Scripting (XSS)
CanPrecede   --> CAPEC-107 Cross Site Tracing
CAPEC-70 Try Common or Default Usernames and Passwords
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-85 AJAX Footprinting
Has Child   --> CAPEC-580 System Footprinting
CAPEC-86 XSS Through HTTP Headers
Has Child   --> CAPEC-592 Stored XSS
CAPEC-90 Reflection Attack in Authentication Protocol
Has Child   --> CAPEC-272 Protocol Manipulation
CAPEC-116 Excavation
CanPrecede   --> CAPEC-163 Spear Phishing
CAPEC-149 Explore for Predictable Temporary File Names
CanPrecede   --> CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-157 Sniffing Attacks
CanPrecede   --> CAPEC-652 Use of Known Kerberos Credentials
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CanPrecede   --> CAPEC-17 Using Malicious Files
CAPEC-185 Malicious Software Download
CanPrecede   --> CAPEC-94 Man in the Middle Attack
CAPEC-194 Fake the Source of Data
CanPrecede   --> CAPEC-657 Malicious Automated Software Update via Spoofing
CAPEC-215 Fuzzing for application mapping
Has Child   --> CAPEC-28 Fuzzing
CAPEC-228 DTD Injection
CanPrecede   --> CAPEC-197 XML Entity Expansion
CanPrecede   --> CAPEC-491 XML Quadratic Expansion
CAPEC-279 SOAP Manipulation
CanPrecede   --> CAPEC-110 SQL Injection through SOAP Parameter Tampering
CanPrecede   --> CAPEC-228 DTD Injection
CAPEC-406 Dumpster Diving
CanPrecede   --> CAPEC-163 Spear Phishing
CAPEC-407 Pretexting
CanPrecede   --> CAPEC-163 Spear Phishing
CAPEC-505 Scheme Squatting
Has Child   --> CAPEC-616 Establish Rogue Location
CAPEC-565 Password Spraying
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-568 Capture Credentials via Keylogger
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-656 Voice Phishing
Has Child   --> CAPEC-98 Phishing
CAPEC-657 Malicious Automated Software Update via Spoofing
Has Child   --> CAPEC-186 Malicious Software Update
CAPEC-660 Root/Jailbreak Detection Evasion via Hooking
Has Child   --> CAPEC-251 Local Code Inclusion
CAPEC-661 Root/Jailbreak Detection Evasion via Debugging
CanPrecede   --> CAPEC-68 Subvert Code-signing Facilities
Has Child   --> CAPEC-121 Exploit Non-Production Interfaces
CanPrecede   --> CAPEC-660 Root/Jailbreak Detection Evasion via Hooking

CAPEC --> CAPEC Mappings Removed
CAPEC-17 Using Malicious Files
Has Child   --> CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
Has Child   --> CAPEC-165 File Manipulation
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
Has Child   --> CAPEC-150 Collect Data from Common Resource Locations
CAPEC-58 Restful Privilege Elevation
Has Child   --> CAPEC-233 Privilege Escalation
CAPEC-85 AJAX Fingerprinting
Has Child   --> CAPEC-541 Application Fingerprinting
CAPEC-89 Pharming
CanFollow   --> CAPEC-89 Pharming
CanFollow   --> CAPEC-543 Counterfeit Websites
CanFollow   --> CAPEC-611 BitSquatting
CanFollow   --> CAPEC-630 TypoSquatting
CanFollow   --> CAPEC-631 SoundSquatting
CanFollow   --> CAPEC-632 Homograph Attack via Homoglyphs
CAPEC-90 Reflection Attack in Authentication Protocol
Has Child   --> CAPEC-220 Client-Server Protocol Manipulation
CAPEC-94 Man in the Middle Attack
CanFollow   --> CAPEC-185 Malicious Software Download
CAPEC-107 Cross Site Tracing
CanFollow   --> CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CanFollow   --> CAPEC-279 SOAP Manipulation
CAPEC-155 Screen Temporary Files for Sensitive Information
CanFollow   --> CAPEC-149 Explore for Predictable Temporary File Names
CAPEC-163 Spear Phishing
CanFollow   --> CAPEC-116 Excavation
CanFollow   --> CAPEC-406 Dumpster Diving
CanFollow   --> CAPEC-407 Pretexting
CAPEC-197 XML Entity Expansion
CanFollow   --> CAPEC-228 DTD Injection
CAPEC-214 Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
Has Child   --> CAPEC-54 Query System for Information
CAPEC-228 DTD Injection
CanFollow   --> CAPEC-279 SOAP Manipulation
CAPEC-237 Escaping a Sandbox by Calling Signed Code in Another Language
Has Child   --> CAPEC-68 Subvert Code-signing Facilities
CAPEC-333 WASC Threat Classification 2.0
Has Member   --> CAPEC-336 DEPRECATED: WASC-03 - Integer Overflows
Has Member   --> CAPEC-338 DEPRECATED: WASC-05 - Remote File Inclusion
Has Member   --> CAPEC-339 DEPRECATED: WASC-06 - Format String
Has Member   --> CAPEC-340 DEPRECATED: WASC-07 - Buffer Overflow
Has Member   --> CAPEC-341 DEPRECATED: WASC-08 - Cross-Site Scripting
Has Member   --> CAPEC-342 DEPRECATED: WASC-09 - Cross-Site Request Forgery
Has Member   --> CAPEC-343 DEPRECATED: WASC-10 - Denial of Service
Has Member   --> CAPEC-344 DEPRECATED: WASC-11 - Brute Force
Has Member   --> CAPEC-345 DEPRECATED: WASC-12 - Content Spoofing
Has Member   --> CAPEC-351 DEPRECATED: WASC-18 - Credential/Session Prediction
Has Member   --> CAPEC-352 DEPRECATED: WASC-19 - SQL Injection
Has Member   --> CAPEC-356 DEPRECATED: WASC-23 - XML Injection
Has Member   --> CAPEC-357 DEPRECATED: WASC-24 - HTTP Request Splitting
Has Member   --> CAPEC-358 DEPRECATED: WASC-25 - HTTP Response Splitting
Has Member   --> CAPEC-359 DEPRECATED: WASC-26 - HTTP Request Smuggling
Has Member   --> CAPEC-360 DEPRECATED: WASC-27 - HTTP Response Smuggling
Has Member   --> CAPEC-361 DEPRECATED: WASC-28 - Null Byte Injection
Has Member   --> CAPEC-362 DEPRECATED: WASC-29 - LDAP Injection
Has Member   --> CAPEC-363 DEPRECATED: WASC-30 - Mail Command Injection
Has Member   --> CAPEC-364 DEPRECATED: WASC-31 - OS Commanding
Has Member   --> CAPEC-365 DEPRECATED: WASC-32 - Routing Detour
Has Member   --> CAPEC-366 DEPRECATED: WASC-33 - Path Traversal
Has Member   --> CAPEC-367 DEPRECATED: WASC-34 - Predictable Resource Location
Has Member   --> CAPEC-368 DEPRECATED: WASC-35 - SOAP Array Abuse
Has Member   --> CAPEC-369 DEPRECATED: WASC-36 - SSI Injection
Has Member   --> CAPEC-370 DEPRECATED: WASC-37 - Session Fixation
Has Member   --> CAPEC-371 DEPRECATED: WASC-38 - URL Redirector Abuse
Has Member   --> CAPEC-372 DEPRECATED: WASC-39 - XPath Injection
Has Member   --> CAPEC-374 DEPRECATED: WASC-41 - XML Attribute Blowup
Has Member   --> CAPEC-375 DEPRECATED: WASC-42 - Abuse of Functionality
Has Member   --> CAPEC-376 DEPRECATED: WASC-43 - XML External Entities
Has Member   --> CAPEC-377 DEPRECATED: WASC-44 - XML Entity Expansion
Has Member   --> CAPEC-378 DEPRECATED: WASC-45 - Fingerprinting
Has Member   --> CAPEC-379 DEPRECATED: WASC-46 - XQuery Injection
CAPEC-336 WASC-03 - Integer Overflows
Has Member   --> CAPEC-92 Forced Integer Overflow
CAPEC-338 WASC-05 - Remote File Inclusion
Has Member   --> CAPEC-253 Remote Code Inclusion
CAPEC-340 WASC-07 - Buffer Overflow
Has Member   --> CAPEC-100 Overflow Buffers
CAPEC-341 WASC-08 - Cross-Site Scripting
Has Member   --> CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-342 WASC-09 - Cross-Site Request Forgery
Has Member   --> CAPEC-62 Cross Site Request Forgery
CAPEC-343 WASC-10 - Denial of Service
Has Member   --> CAPEC-125 Flooding
Has Member   --> CAPEC-130 Excessive Allocation
Has Member   --> CAPEC-131 Resource Leak Exposure
Has Member   --> CAPEC-227 Sustained Client Engagement
CAPEC-344 WASC-11 - Brute Force
Has Member   --> CAPEC-112 Brute Force
CAPEC-345 WASC-12 - Content Spoofing
Has Member   --> CAPEC-148 Content Spoofing
CAPEC-351 WASC-18 - Credential/Session Prediction
Has Member   --> CAPEC-59 Session Credential Falsification through Prediction
CAPEC-352 WASC-19 - SQL Injection
Has Member   --> CAPEC-66 SQL Injection
CAPEC-356 WASC-23 - XML Injection
Has Member   --> CAPEC-250 XML Injection
CAPEC-357 WASC-24 - HTTP Request Splitting
Has Member   --> CAPEC-105 HTTP Request Splitting
CAPEC-358 WASC-25 - HTTP Response Splitting
Has Member   --> CAPEC-34 HTTP Response Splitting
CAPEC-359 WASC-26 - HTTP Request Smuggling
Has Member   --> CAPEC-33 HTTP Request Smuggling
CAPEC-360 WASC-27 - HTTP Response Smuggling
Has Member   --> CAPEC-273 HTTP Response Smuggling
CAPEC-361 WASC-28 - Null Byte Injection
Has Member   --> CAPEC-52 Embedding NULL Bytes
CAPEC-362 WASC-29 - LDAP Injection
Has Member   --> CAPEC-136 LDAP Injection
CAPEC-363 WASC-30 - Mail Command Injection
Has Member   --> CAPEC-134 Email Injection
CAPEC-364 WASC-31 - OS Commanding
Has Member   --> CAPEC-88 OS Command Injection
CAPEC-365 WASC-32 - Routing Detour
Has Member   --> CAPEC-219 XML Routing Detour Attacks
CAPEC-366 WASC-33 - Path Traversal
Has Member   --> CAPEC-126 Path Traversal
CAPEC-367 WASC-34 - Predictable Resource Location
Has Member   --> CAPEC-87 Forceful Browsing
CAPEC-368 WASC-35 - SOAP Array Abuse
Has Member   --> CAPEC-256 SOAP Array Overflow
CAPEC-369 WASC-36 - SSI Injection
Has Member   --> CAPEC-101 Server Side Include (SSI) Injection
CAPEC-370 WASC-37 - Session Fixation
Has Member   --> CAPEC-61 Session Fixation
CAPEC-371 WASC-38 - URL Redirector Abuse
Has Member   --> CAPEC-194 Fake the Source of Data
CAPEC-374 WASC-41 - XML Attribute Blowup
Has Member   --> CAPEC-229 Serialized Data Parameter Blowup
CAPEC-375 WASC-42 - Abuse of Functionality
Has Member   --> CAPEC-210 Abuse Existing Functionality
CAPEC-376 WASC-43 - XML External Entities
Has Member   --> CAPEC-221 Data Serialization External Entities Blowup
CAPEC-377 WASC-44 - XML Entity Expansion
Has Member   --> CAPEC-197 XML Entity Expansion
Has Member   --> CAPEC-219 XML Routing Detour Attacks
CAPEC-378 WASC-45 - Fingerprinting
Has Member   --> CAPEC-224 Fingerprinting
CAPEC-379 WASC-46 - XQuery Injection
Has Member   --> CAPEC-84 XQuery Injection
CAPEC-491 XML Quadratic Expansion
CanFollow   --> CAPEC-228 DTD Injection
CAPEC-505 Scheme Squatting
Has Child   --> CAPEC-173 Action Spoofing
CAPEC-543 Counterfeit Websites
CanFollow   --> CAPEC-98 Phishing
CanFollow   --> CAPEC-611 BitSquatting
CanFollow   --> CAPEC-630 TypoSquatting
CanFollow   --> CAPEC-631 SoundSquatting
CanFollow   --> CAPEC-632 Homograph Attack via Homoglyphs
CAPEC-561 Windows Admin Shares with Stolen Credentials
CanFollow   --> CAPEC-16 Dictionary-based Password Attack
CanFollow   --> CAPEC-49 Password Brute Forcing
CanFollow   --> CAPEC-50 Password Recovery Exploitation
CanFollow   --> CAPEC-55 Rainbow Table Password Cracking
CanFollow   --> CAPEC-70 Try Common or Default Usernames and Passwords
CanFollow   --> CAPEC-565 Password Spraying
CanFollow   --> CAPEC-568 Capture Credentials via Keylogger
CAPEC-611 BitSquatting
CanFollow   --> CAPEC-98 Phishing
CAPEC-630 TypoSquatting
CanFollow   --> CAPEC-98 Phishing
CAPEC-631 SoundSquatting
CanFollow   --> CAPEC-98 Phishing
CAPEC-632 Homograph Attack via Homoglyphs
CanFollow   --> CAPEC-98 Phishing
CAPEC-652 Use of Known Kerberos Credentials
CanFollow   --> CAPEC-157 Sniffing Attacks
Back to top
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020
 

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.