CAPEC™

Common Attack Pattern Enumeration and Classification helps by providing a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers and educators to advance community understanding and enhance defenses. The version used in this section is CAPEC List v3.9.

Control-Requirement Mapping

Definition	Requirements
1. Accessing functionality not properly constrained by ACLs	264. Request authentication 096. Set user's required privileges
2. Inducing account lockout	226. Avoid account lockouts
3. Using leading 'ghost' character sequences to bypass input filters	173. Discard unsafe inputs
4. Using alternative IP address encodings	173. Discard unsafe inputs
6. Argument injection	173. Discard unsafe inputs 342. Validate request parameters
7. Blind SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
11. Cause web server misclassification	320. Avoid client-side control enforcement 037. Parameters without sensitive data 040. Compare file format and extension
12. Choosing message identifier	181. Transmit data using secure protocols
13. Subverting environment variable values	265. Restrict access to critical processes 046. Manage the integrity of critical files
15. Command delimiters	173. Discard unsafe inputs
16. Dictionary-based password attack	332. Prevent the use of breached passwords
17. Using malicious files	186. Use the principle of least privilege 041. Scan files for malicious code
18. XSS targeting non-script elements	160. Encode system outputs 173. Discard unsafe inputs
19. Embedding scripts within scripts	160. Encode system outputs 173. Discard unsafe inputs 340. Use octet stream downloads 344. Avoid dynamic code execution 349. Include HTTP security headers 050. Control calls to interpreted code
20. Encryption brute forcing	147. Use pre-existent mechanisms 148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 370. Use OAEP padding with RSA 371. Use GCM Padding with AES
21. Exploitation of trusted identifiers	174. Transactions without a distinguishable pattern 178. Use digital signatures
22. Exploiting trust in client	173. Discard unsafe inputs 178. Use digital signatures 320. Avoid client-side control enforcement
23. File content injection	186. Use the principle of least privilege 041. Scan files for malicious code 046. Manage the integrity of critical files
24. Filter failure through buffer overflow	173. Discard unsafe inputs 345. Establish protections against overflows
25. Forced deadlock	337. Make critical logic flows thread safe
26. Leveraging race conditions	337. Make critical logic flows thread safe
27. Leveraging race conditions via symbolic links	186. Use the principle of least privilege 337. Make critical logic flows thread safe
28. Fuzzing	320. Avoid client-side control enforcement
29. Leveraging time-of-check and time-of-use (TOCTOU) race conditions	337. Make critical logic flows thread safe
30. Hijacking a privileged thread of execution	337. Make critical logic flows thread safe
31. Accessing/Intercepting/Modifying HTTP cookies	174. Transactions without a distinguishable pattern 181. Transmit data using secure protocols 342. Validate request parameters 349. Include HTTP security headers 029. Cookies with security attributes
32. XSS through HTTP query strings	160. Encode system outputs 173. Discard unsafe inputs 342. Validate request parameters 349. Include HTTP security headers
33. HTTP request smuggling	348. Use consistent encoding
34. HTTP response splitting	173. Discard unsafe inputs 320. Avoid client-side control enforcement
35. Leverage executable code in non-executable files	186. Use the principle of least privilege 046. Manage the integrity of critical files
36. Using unpublished interfaces	264. Request authentication
38. Leveraging/Manipulating configuration file search paths	046. Manage the integrity of critical files
39. Manipulating opaque client-based data tokens	320. Avoid client-side control enforcement 026. Encrypt client-side session information
41. Using meta-characters in e-mail headers to inject malicious payloads	115. Filter malicious emails 173. Discard unsafe inputs
42. MIME conversion	262. Verify third-party components
43. Exploiting multiple input interpretation layers	348. Use consistent encoding
48. Passing local filenames to functions that expect a URL	160. Encode system outputs 173. Discard unsafe inputs
49. Password brute forcing	130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 237. Ascertain human interaction 327. Set a rate limit
60. Reusing session IDs (aka session replay)	030. Avoid object reutilization
70. Try common usernames and passwords	142. Change system default credentials
74. Manipulating state	329. Keep client-side storage without sensitive data 026. Encrypt client-side session information
94. Adversary in the middle (AiTM)	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 373. Use certificate pinning 092. Use externally signed certificates
113. Interface manipulation	154. Eliminate backdoors 078. Disable debugging events
114. Authentication abuse	232. Require equipment identity 319. Make authentication options equally secure
115. Authentication bypass	154. Eliminate backdoors 222. Deny access to the host essential 228. Authenticate using standard protocols 264. Request authentication 319. Make authentication options equally secure
116. Excavation	261. Avoid exposing sensitive information 325. Protect WSDL files 339. Avoid storing sensitive files in the web root 365. Avoid exposing technical information 077. Avoid disclosing technical information 078. Disable debugging events
117. Interception	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
122. Privilege abuse	186. Use the principle of least privilege 265. Restrict access to critical processes 280. Restrict service root directory 341. Use the principle of deny by default 095. Define users with privileges 096. Set user's required privileges
123. Buffer manipulation	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows 350. Enable memory protection mechanisms
124. Shared resource manipulation	337. Make critical logic flows thread safe 374. Use of isolation methods in running applications
125. Flooding	327. Set a rate limit 062. Define standard configurations 072. Set maximum response time
129. Pointer manipulation	157. Use the strict mode 158. Use a secure programming language
130. Excessive allocation	157. Use the strict mode 160. Encode system outputs 173. Discard unsafe inputs 321. Avoid deserializing untrusted data 327. Set a rate limit 062. Define standard configurations 072. Set maximum response time
131. Resource leak exposure	158. Use a secure programming language
137. Parameter injection	173. Discard unsafe inputs 342. Validate request parameters
148. Content spoofing	178. Use digital signatures 181. Transmit data using secure protocols 330. Verify Subresource Integrity
151. Identity spoofing	224. Use secure cryptographic mechanisms 319. Make authentication options equally secure 062. Define standard configurations
153. Input data manipulation	160. Encode system outputs 173. Discard unsafe inputs 186. Use the principle of least privilege 320. Avoid client-side control enforcement 321. Avoid deserializing untrusted data 342. Validate request parameters 345. Establish protections against overflows 348. Use consistent encoding 037. Parameters without sensitive data
154. Resource location spoofing	330. Verify Subresource Integrity 046. Manage the integrity of critical files 050. Control calls to interpreted code
155. Screen temporary files for sensitive information	036. Do not deploy temporary files
161. Infrastructure manipulation	266. Disable insecure functionalities 324. Control redirects 349. Include HTTP security headers 062. Define standard configurations 080. Prevent log modification
165. File manipulation	330. Verify Subresource Integrity 340. Use octet stream downloads 037. Parameters without sensitive data 040. Compare file format and extension 041. Scan files for malicious code 042. Validate file format
169. Footprinting	273. Define a fixed security suite
173. Action spoofing	349. Include HTTP security headers
175. Code inclusion	173. Discard unsafe inputs 037. Parameters without sensitive data 050. Control calls to interpreted code
176. Configuration/Environment manipulation	186. Use the principle of least privilege 046. Manage the integrity of critical files
188. Reverse engineering	159. Obfuscate code
212. Functionality misuse	226. Avoid account lockouts 266. Disable insecure functionalities 336. Disable insecure TLS versions
216. Communication channel manipulation	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
224. Fingerprinting	325. Protect WSDL files 365. Avoid exposing technical information 077. Avoid disclosing technical information
227. Sustained client engagement	023. Terminate inactive user sessions 025. Manage concurrent sessions
233. Privilege escalation	186. Use the principle of least privilege 337. Make critical logic flows thread safe 341. Use the principle of deny by default 035. Manage privilege modifications 095. Define users with privileges
240. Resource injection	160. Encode system outputs 173. Discard unsafe inputs 262. Verify third-party components
242. Code injection	117. Do not interpret HTML code 160. Encode system outputs 173. Discard unsafe inputs 262. Verify third-party components 344. Avoid dynamic code execution 043. Define an explicit content type 044. Define an explicit charset 050. Control calls to interpreted code
248. Command injection	160. Encode system outputs 169. Use parameterized queries 173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution
272. Protocol manipulation	224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
438. Modification during manufacture	154. Eliminate backdoors 155. Application free of malicious code
442. Infected software	273. Define a fixed security suite
475. Signature spoofing by improper validation	093. Use consistent certificates
549. Local execution of code	273. Define a fixed security suite 041. Scan files for malicious code
554. Functionality bypass	154. Eliminate backdoors
560. Use of known domain credentials	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 142. Change system default credentials 332. Prevent the use of breached passwords
586. Object injection	321. Avoid deserializing untrusted data
594. Traffic injection	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions
613. WiFi SSID tracking	247. Hide SSID on private networks 248. SSID without dictionary words 254. Change SSID name
619. Signal strength tracking	249. Locate access points
654. Credential Prompt Impersonation	122. Validate credential ownership
676. NoSQL Injection	173. Discard unsafe inputs 273. Define a fixed security suite
677. Server Motherboard Compromise	266. Disable insecure functionalities
678. System Build Data Maliciously Altered	266. Disable insecure functionalities
679. Exploitation of Improperly Configured or Implemented Memory Protections	350. Enable memory protection mechanisms
680. Exploitation of Improperly Controlled Registers	176. Restrict system objects
681. Exploitation of Improperly Controlled Hardware Security Identifiers	352. Enable trusted execution
682. Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities	262. Verify third-party components
690. Metadata Spoofing	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 320. Avoid client-side control enforcement 035. Manage privilege modifications 096. Set user's required privileges
691. Spoof Open-Source Software Metadata	173. Discard unsafe inputs 176. Restrict system objects 262. Verify third-party components
692. Spoof Version Control System Commit Metadata	173. Discard unsafe inputs 176. Restrict system objects 262. Verify third-party components
693. StarJacking	262. Verify third-party components
694. System Location Discovery	185. Encrypt sensitive information 300. Mask sensitive data
695. Repo Jacking	262. Verify third-party components
697. DHCP Spoofing	273. Define a fixed security suite 062. Define standard configurations
698. Install Malicious Extension	262. Verify third-party components
700. Network Boundary Bridging	253. Restrict network access 255. Allow access only to the necessary ports 259. Segment the organization network
701. Browser in the Middle (BiTM)	262. Verify third-party components 266. Disable insecure functionalities

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.