CAPEC Attack Patterns

Common Attack Pattern Enumeration and Classification

100 Attack Patterns

3 Abstraction Levels

4 Likelihood Levels

5 Severity Levels

Search & Filter Attack Patterns

Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Contro…

standard high high

Buffer Overflow via Environment Variables

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify a…

detailed high high

Overflow Buffers

Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a …

standard high very high

Server Side Include (SSI) Injection

An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables…

detailed high high

Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a netw…

detailed high high

An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely differen…

standard medium high

Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privil…

standard medium high

HTTP Request Splitting

{'xhtml:p': ['An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermedi…

detailed medium high

DEPRECATED: XSS through Log Files

This attack pattern has been deprecated as it referes to an existing chain relationship between \'CAPEC-93 : Log Injection-Tampering-Forging\' and \'…

detailed Unknown

Cross Site Tracing

Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the h…

detailed medium very high

Command Line Execution through SQL Injection

An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of dir…

detailed low very high

Object Relational Mapping Injection

An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in th…

detailed low high

Cause Web Server Misclassification

An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled …

detailed medium high

SQL Injection through SOAP Parameter Tampering

An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection at…

detailed high very high

JSON Hijacking (aka JavaScript Hijacking)

An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.…

standard high high

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access t…

meta Unknown high

Interface Manipulation

An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an…

meta medium medium

Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication…

meta Unknown medium

Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an au…

meta Unknown medium

An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.

meta high medium

An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive…

meta low medium

Choosing Message Identifier

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another…

standard high high

Double Encoding

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) …

detailed low medium

Exploit Non-Production Interfaces

{'xhtml:p': 'An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the…

standard low high

Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower…

meta high medium

Buffer Manipulation

An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attack…

meta high very high

Shared Resource Manipulation

An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources…

meta Unknown medium

An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally …

meta high medium

An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retri…

standard high very high

Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of trig…

detailed high medium

Integer Attacks

An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. …

standard Unknown medium

Pointer Manipulation

This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended mem…

meta Unknown medium

Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the …

detailed high very high

Excessive Allocation

An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legi…

meta medium medium

Resource Leak Exposure

An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.

meta medium medium

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is acces…

detailed low high

Try All Common Switches

An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For…

standard Unknown medium

Email Injection

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

standard Unknown medium

Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide stati…

standard high high

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create…

standard high high

Parameter Injection

An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use te…

meta medium medium

Reflection Injection

An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, …

standard Unknown very high

Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for th…

detailed high high

Client-side Injection-induced Buffer Overflow

This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built h…

detailed medium high

Bypassing of Intermediate Forms in Multiple-Form Sets

Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amoun…

standard Unknown medium

Cache Poisoning

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes …

standard high high

DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An …

detailed high high

Detect Unpublicized Web Pages

An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to inf…

detailed Unknown low

Detect Unpublicized Web Services

An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished b…

detailed Unknown low

Checksum Spoofing

An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verif…

detailed Unknown medium

XML Schema Poisoning

An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the securit…

detailed low high

XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a de…

detailed low medium

Content Spoofing

An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source o…

meta medium medium

Explore for Predictable Temporary File Names

An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against…

detailed Unknown medium

Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the …

standard high high

Collect Data from Common Resource Locations

An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, fi…

standard Unknown medium

Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that ident…

meta medium medium

Input Data Manipulation

An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. B…

meta Unknown medium

Resource Location Spoofing

An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adve…

meta medium medium

Screen Temporary Files for Sensitive Information

An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application…

detailed medium medium

Sniffing Attacks

In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/…

standard Unknown medium

Sniffing Network Traffic

In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive info…

detailed Unknown medium

Redirect Access to Libraries

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary …

standard high very high

Dictionary-based Password Attack

{'xhtml:p': ['An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password …

detailed medium high

Exploit Script-Based APIs

Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very f…

standard Unknown medium

Infrastructure Manipulation

An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network obj…

meta Unknown high

Manipulating Hidden Fields

An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and…

detailed Unknown high

An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance an…

detailed high high

Mobile Phishing

An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user…

detailed high high

File Manipulation

An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. …

meta Unknown medium

Force the System to Reset Values

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or s…

standard Unknown medium

White Box Reverse Engineering

An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techni…

standard Unknown medium

Windows ::DATA Alternate Data Stream

An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple \'files\' to …

detailed Unknown medium

An adversary engages in probing and exploration activities to identify constituents and properties of the target.

meta high very low

Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through s…

standard high very high

Web Application Fingerprinting

An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifyin…

detailed high low

DEPRECATED: Variable Manipulation

This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \'CAPEC-77 : Manipulating User-Controlled Variables\'. Pl…

Action Spoofing

An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a …

meta high very high

Flash Parameter Injection

An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Fl…

detailed high medium

An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs f…

meta medium very high

Configuration/Environment Manipulation

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applicati…

meta Unknown medium

Create files with the same name as files protected with a higher classification

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privilege…

detailed Unknown very high

Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the …

detailed medium medium

Calling Micro-Services Directly

An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering…

standard Unknown medium

XSS Targeting Non-Script Elements

This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as im…

detailed high very high

Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard again…

standard high medium

Flash File Overlay

An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this…

detailed Unknown medium

Flash Injection

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of …

standard high medium

IMAP/SMTP Command Injection

An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit betw…

standard Unknown medium

Software Integrity Attack

An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of sof…

meta Unknown low

Malicious Software Download

An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker co…

standard Unknown very high

Malicious Software Update

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that…

standard Unknown high

Malicious Automated Software Update via Redirection

An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target c…

detailed high high

Reverse Engineering

An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effect…

Black Box Reverse Engineering

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' met…

standard Unknown low

Embedding Scripts within Scripts

An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute …

standard high high

Reverse Engineer an Executable to Expose Assumed Hidden Functionality

An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by usin…

detailed Unknown low

Read Sensitive Constants Within an Executable

{'xhtml:p': 'An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constant…

detailed Unknown low

Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transm…

PHP Remote File Inclusion

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished throug…

detailed high high

CAPEC ID

Attack Pattern Name

Abstraction

Likelihood

Severity

Accessing Functionality Not Properly Constrained by ACLs

Buffer Overflow via Environment Variables

Overflow Buffers

Server Side Include (SSI) Injection

Session Sidejacking

Cross Zone Scripting

HTTP Request Splitting

DEPRECATED: XSS through Log Files

Cross Site Tracing

Command Line Execution through SQL Injection

Object Relational Mapping Injection

Cause Web Server Misclassification

SQL Injection through SOAP Parameter Tampering

JSON Hijacking (aka JavaScript Hijacking)

Interface Manipulation

Authentication Abuse

Authentication Bypass

Choosing Message Identifier

Double Encoding

Exploit Non-Production Interfaces

Privilege Abuse

Buffer Manipulation

Shared Resource Manipulation

Directory Indexing

Integer Attacks

Pointer Manipulation

Subverting Environment Variable Values

Excessive Allocation

Resource Leak Exposure

Try All Common Switches

Email Injection

Format String Injection

Parameter Injection

Reflection Injection

Relative Path Traversal

Client-side Injection-induced Buffer Overflow

Bypassing of Intermediate Forms in Multiple-Form Sets

Cache Poisoning

DNS Cache Poisoning

Detect Unpublicized Web Pages

Detect Unpublicized Web Services

Checksum Spoofing

XML Schema Poisoning

XML Ping of the Death

Content Spoofing

Explore for Predictable Temporary File Names

Command Delimiters

Collect Data from Common Resource Locations

Identity Spoofing

Input Data Manipulation

Resource Location Spoofing

Screen Temporary Files for Sensitive Information

Sniffing Attacks

Sniffing Network Traffic

Redirect Access to Libraries

Dictionary-based Password Attack

Exploit Script-Based APIs

Infrastructure Manipulation

Manipulating Hidden Fields

Mobile Phishing

File Manipulation

Force the System to Reset Values

White Box Reverse Engineering

Windows ::DATA Alternate Data Stream

Using Malicious Files

Web Application Fingerprinting

DEPRECATED: Variable Manipulation

Action Spoofing

Flash Parameter Injection

Configuration/Environment Manipulation

Create files with the same name as files protected with a higher classification

Cross-Site Flashing

Calling Micro-Services Directly

XSS Targeting Non-Script Elements

Exploiting Incorrectly Configured Access Control Security Levels

Flash File Overlay

Flash Injection

IMAP/SMTP Command Injection

Software Integrity Attack

Malicious Software Download

Malicious Software Update

Malicious Automated Software Update via Redirection

Reverse Engineering

Black Box Reverse Engineering

Embedding Scripts within Scripts

Reverse Engineer an Executable to Expose Assumed Hidden Functionality

Read Sensitive Constants Within an Executable

Protocol Analysis

PHP Remote File Inclusion