CAPEC™

Summary

Common Attack Pattern Enumeration and Classification helps by providing a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers and educators to advance community understanding and enhance defenses. The version used in this section is CAPEC List v3.9.

Definitions

Definition	Requirements
CAPEC-1. Accessing functionality not properly constrained by ACLs	264. Request authentication 096. Set user's required privileges
CAPEC-2. Inducing account lockout	226. Avoid account lockouts
CAPEC-3. Using leading 'ghost' character sequences to bypass input filters	173. Discard unsafe inputs
CAPEC-4. Using alternative IP address encodings	173. Discard unsafe inputs
CAPEC-6. Argument injection	173. Discard unsafe inputs 342. Validate request parameters
CAPEC-7. Blind SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
CAPEC-11. Cause web server misclassification	320. Avoid client-side control enforcement 037. Parameters without sensitive data 040. Compare file format and extension
CAPEC-12. Choosing message identifier	181. Transmit data using secure protocols
CAPEC-13. Subverting environment variable values	265. Restrict access to critical processes 046. Manage the integrity of critical files
CAPEC-15. Command delimiters	173. Discard unsafe inputs
CAPEC-16. Dictionary-based password attack	332. Prevent the use of breached passwords
CAPEC-17. Using malicious files	186. Use the principle of least privilege 041. Scan files for malicious code
CAPEC-18. XSS targeting non-script elements	160. Encode system outputs 173. Discard unsafe inputs
CAPEC-19. Embedding scripts within scripts	160. Encode system outputs 173. Discard unsafe inputs 340. Use octet stream downloads 344. Avoid dynamic code execution 349. Include HTTP security headers 050. Control calls to interpreted code
CAPEC-20. Encryption brute forcing	147. Use pre-existent mechanisms 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 370. Use OAEP padding with RSA 371. Use GCM Padding with AES
CAPEC-21. Exploitation of trusted identifiers	174. Transactions without a distinguishable pattern 178. Use digital signatures
CAPEC-22. Exploiting trust in client	173. Discard unsafe inputs 178. Use digital signatures 320. Avoid client-side control enforcement
CAPEC-23. File content injection	186. Use the principle of least privilege 041. Scan files for malicious code 046. Manage the integrity of critical files
CAPEC-24. Filter failure through buffer overflow	173. Discard unsafe inputs 345. Establish protections against overflows
CAPEC-25. Forced deadlock	337. Make critical logic flows thread safe
CAPEC-26. Leveraging race conditions	337. Make critical logic flows thread safe
CAPEC-27. Leveraging race conditions via symbolic links	186. Use the principle of least privilege 337. Make critical logic flows thread safe
CAPEC-28. Fuzzing	320. Avoid client-side control enforcement
CAPEC-29. Leveraging time-of-check and time-of-use (TOCTOU) race conditions	337. Make critical logic flows thread safe
CAPEC-30. Hijacking a privileged thread of execution	337. Make critical logic flows thread safe
CAPEC-31. Accessing/Intercepting/Modifying HTTP cookies	174. Transactions without a distinguishable pattern 181. Transmit data using secure protocols 342. Validate request parameters 349. Include HTTP security headers 029. Cookies with security attributes
CAPEC-32. XSS through HTTP query strings	160. Encode system outputs 173. Discard unsafe inputs 342. Validate request parameters 349. Include HTTP security headers
CAPEC-33. HTTP request smuggling	348. Use consistent encoding
CAPEC-34. HTTP response splitting	173. Discard unsafe inputs 320. Avoid client-side control enforcement
CAPEC-35. Leverage executable code in non-executable files	186. Use the principle of least privilege 046. Manage the integrity of critical files
CAPEC-36. Using unpublished interfaces	264. Request authentication
CAPEC-38. Leveraging/Manipulating configuration file search paths	046. Manage the integrity of critical files
CAPEC-39. Manipulating opaque client-based data tokens	320. Avoid client-side control enforcement 026. Encrypt client-side session information
CAPEC-41. Using meta-characters in e-mail headers to inject malicious payloads	115. Filter malicious emails 173. Discard unsafe inputs
CAPEC-42. MIME conversion	262. Verify third-party components
CAPEC-43. Exploiting multiple input interpretation layers	348. Use consistent encoding
CAPEC-48. Passing local filenames to functions that expect a URL	160. Encode system outputs 173. Discard unsafe inputs
CAPEC-49. Password brute forcing	130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 237. Ascertain human interaction 327. Set a rate limit
CAPEC-60. Reusing session IDs (aka session replay)	030. Avoid object reutilization
CAPEC-70. Try common usernames and passwords	142. Change system default credentials
CAPEC-74. Manipulating state	329. Keep client-side storage without sensitive data 026. Encrypt client-side session information
CAPEC-94. Adversary in the middle (AiTM)	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 373. Use certificate pinning 092. Use externally signed certificates
CAPEC-113. Interface manipulation	154. Eliminate backdoors 078. Disable debugging events
CAPEC-114. Authentication abuse	232. Require equipment identity 319. Make authentication options equally secure
CAPEC-115. Authentication bypass	154. Eliminate backdoors 222. Deny access to the host essential 228. Authenticate using standard protocols 264. Request authentication 319. Make authentication options equally secure
CAPEC-116. Excavation	261. Avoid exposing sensitive information 325. Protect WSDL files 339. Avoid storing sensitive files in the web root 365. Avoid exposing technical information 077. Avoid disclosing technical information 078. Disable debugging events
CAPEC-117. Interception	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
CAPEC-122. Privilege abuse	186. Use the principle of least privilege 265. Restrict access to critical processes 280. Restrict service root directory 341. Use the principle of deny by default 095. Define users with privileges 096. Set user's required privileges
CAPEC-123. Buffer manipulation	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows 350. Enable memory protection mechanisms
CAPEC-124. Shared resource manipulation	337. Make critical logic flows thread safe 374. Use of isolation methods in running applications
CAPEC-125. Flooding	327. Set a rate limit 062. Define standard configurations 072. Set maximum response time
CAPEC-129. Pointer manipulation	157. Use the strict mode 158. Use a secure programming language
CAPEC-130. Excessive allocation	157. Use the strict mode 160. Encode system outputs 173. Discard unsafe inputs 321. Avoid deserializing untrusted data 327. Set a rate limit 062. Define standard configurations 072. Set maximum response time
CAPEC-131. Resource leak exposure	158. Use a secure programming language
CAPEC-137. Parameter injection	173. Discard unsafe inputs 342. Validate request parameters
CAPEC-148. Content spoofing	178. Use digital signatures 181. Transmit data using secure protocols 330. Verify Subresource Integrity
CAPEC-151. Identity spoofing	224. Use secure cryptographic mechanisms 319. Make authentication options equally secure 062. Define standard configurations
CAPEC-153. Input data manipulation	160. Encode system outputs 173. Discard unsafe inputs 186. Use the principle of least privilege 320. Avoid client-side control enforcement 321. Avoid deserializing untrusted data 342. Validate request parameters 345. Establish protections against overflows 348. Use consistent encoding 037. Parameters without sensitive data
CAPEC-154. Resource location spoofing	330. Verify Subresource Integrity 046. Manage the integrity of critical files 050. Control calls to interpreted code
CAPEC-155. Screen temporary files for sensitive information	036. Do not deploy temporary files
CAPEC-161. Infrastructure manipulation	266. Disable insecure functionalities 324. Control redirects 349. Include HTTP security headers 062. Define standard configurations 080. Prevent log modification
CAPEC-165. File manipulation	330. Verify Subresource Integrity 340. Use octet stream downloads 037. Parameters without sensitive data 040. Compare file format and extension 041. Scan files for malicious code 042. Validate file format
CAPEC-169. Footprinting	273. Define a fixed security suite
CAPEC-173. Action spoofing	349. Include HTTP security headers
CAPEC-175. Code inclusion	173. Discard unsafe inputs 037. Parameters without sensitive data 050. Control calls to interpreted code
CAPEC-176. Configuration/Environment manipulation	186. Use the principle of least privilege 046. Manage the integrity of critical files
CAPEC-188. Reverse engineering	159. Obfuscate code
CAPEC-212. Functionality misuse	226. Avoid account lockouts 266. Disable insecure functionalities 336. Disable insecure TLS versions
CAPEC-216. Communication channel manipulation	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
CAPEC-224. Fingerprinting	325. Protect WSDL files 365. Avoid exposing technical information 077. Avoid disclosing technical information
CAPEC-227. Sustained client engagement	023. Terminate inactive user sessions 025. Manage concurrent sessions
CAPEC-233. Privilege escalation	186. Use the principle of least privilege 337. Make critical logic flows thread safe 341. Use the principle of deny by default 035. Manage privilege modifications 095. Define users with privileges
CAPEC-240. Resource injection	160. Encode system outputs 173. Discard unsafe inputs 262. Verify third-party components
CAPEC-242. Code injection	117. Do not interpret HTML code 160. Encode system outputs 173. Discard unsafe inputs 262. Verify third-party components 344. Avoid dynamic code execution 043. Define an explicit content type 044. Define an explicit charset 050. Control calls to interpreted code
CAPEC-248. Command injection	160. Encode system outputs 169. Use parameterized queries 173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution
CAPEC-272. Protocol manipulation	224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
CAPEC-438. Modification during manufacture	154. Eliminate backdoors 155. Application free of malicious code
CAPEC-442. Infected software	273. Define a fixed security suite
CAPEC-475. Signature spoofing by improper validation	093. Use consistent certificates
CAPEC-549. Local execution of code	273. Define a fixed security suite 041. Scan files for malicious code
CAPEC-554. Functionality bypass	154. Eliminate backdoors
CAPEC-560. Use of known domain credentials	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 142. Change system default credentials 332. Prevent the use of breached passwords
CAPEC-586. Object injection	321. Avoid deserializing untrusted data
CAPEC-594. Traffic injection	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
CAPEC-613. WiFi SSID tracking	247. Hide SSID on private networks 248. SSID without dictionary words 254. Change SSID name
CAPEC-619. Signal strength tracking	249. Locate access points
CAPEC-654. Credential Prompt Impersonation	122. Validate credential ownership
CAPEC-676. NoSQL Injection	173. Discard unsafe inputs 273. Define a fixed security suite
CAPEC-677. Server Motherboard Compromise	266. Disable insecure functionalities
CAPEC-678. System Build Data Maliciously Altered	266. Disable insecure functionalities
CAPEC-679. Exploitation of Improperly Configured or Implemented Memory Protections	350. Enable memory protection mechanisms
CAPEC-680. Exploitation of Improperly Controlled Registers	176. Restrict system objects
CAPEC-681. Exploitation of Improperly Controlled Hardware Security Identifiers	352. Enable trusted execution
CAPEC-682. Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities	262. Verify third-party components
CAPEC-690. Metadata Spoofing	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 320. Avoid client-side control enforcement 035. Manage privilege modifications 096. Set user's required privileges
CAPEC-691. Spoof Open-Source Software Metadata	173. Discard unsafe inputs 176. Restrict system objects 262. Verify third-party components
CAPEC-692. Spoof Version Control System Commit Metadata	173. Discard unsafe inputs 176. Restrict system objects 262. Verify third-party components
CAPEC-693. StarJacking	262. Verify third-party components
CAPEC-694. System Location Discovery	185. Encrypt sensitive information 300. Mask sensitive data
CAPEC-695. Repo Jacking	262. Verify third-party components
CAPEC-697. DHCP Spoofing	273. Define a fixed security suite 062. Define standard configurations
CAPEC-698. Install Malicious Extension	262. Verify third-party components
CAPEC-700. Network Boundary Bridging	253. Restrict network access 255. Allow access only to the necessary ports 259. Segment the organization network
CAPEC-701. Browser in the Middle (BiTM)	262. Verify third-party components 266. Disable insecure functionalities

Last updated

2025/06/13