Dark Mode
Capec
This is a reproduciton of the CAPEC database, containing 615 entries, divided in Meta Attack Patterns: 77, Standard Attack Patterns: 197, Detailed Attack Patterns: 341.
Attack Patterns Table
Please select a valid tag.
| Capec ID | Name | Abstraction | Description | Extended Description | Created | External References | Modified | Spec Version | Alternate Terms | Consequences | Domains | Example Instances | Execution Flow | Likelihood Of Attack | Peer Of Refs | Prerequisites | Resources Required | Skills Required | Status | Typical Severity | Version | Capec Children ID | Capec Parents ID | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Exploitation of Trusted Identifiers | Meta | An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service. | Attacks leveraging trusted identifiers typically result in the adversary laterally moving within the local network, since users are often allowed to authenticate to systems/applications within the network using the same identifier. This allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more. Attacks on trusted identifiers take advantage of the fact that some software accepts user input without verifying its authenticity. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. Similarly, servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Identifiers may be guessed or obtained due to insufficient randomness, poor protection (passed/stored in the clear), lack of integrity (unsigned), or improper correlation with access control policy enforcement points. Exposed configuration and properties files that contain sensitive data may additionally provide an adversary with the information needed to obtain these identifiers. An adversary may also "ride" an identifier via a malicious link, as is the case in Cross Site Request Forgery (CSRF) attacks. Regardless of the attack vector, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application. | 2014-06-23 02:00:00 |
Capec: CAPEC-21
Cwe: CWE-290 Cwe: CWE-302 Cwe: CWE-346 Cwe: CWE-539 Cwe: CWE-6 Cwe: CWE-384 Cwe: CWE-664 Cwe: CWE-602 Cwe: CWE-642 Attack: T1134 Attack: T1528 Attack: T1539 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Exploiting Trust in Client | Meta | An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-22
Cwe: CWE-290 Cwe: CWE-287 Cwe: CWE-20 Cwe: CWE-200 Cwe: CWE-693 Reference_from_capec: REF-1 |
2019-09-30 02:00:00 | 2.1 |
Integrity:
|
Communications Software |
|
None | High |
|
|
Medium: The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Forced Deadlock | Meta | The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect. | 2014-06-23 02:00:00 |
Capec: CAPEC-25
Cwe: CWE-412 Cwe: CWE-567 Cwe: CWE-662 Cwe: CWE-667 Cwe: CWE-833 Cwe: CWE-1322 Attack: T1499.004 Reference_from_capec: REF-1 Reference_from_capec: REF-101 Reference_from_capec: REF-609 |
2022-09-29 02:00:00 | 2.1 |
Availability:
|
Software |
|
Explore
|
Low |
|
Medium: This type of attack may be sophisticated and require knowledge about the system's resources and APIs. | Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Leveraging Race Conditions | Meta | The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file. | 2014-06-23 02:00:00 |
Capec: CAPEC-26
Cwe: CWE-368 Cwe: CWE-363 Cwe: CWE-366 Cwe: CWE-370 Cwe: CWE-362 Cwe: CWE-662 Cwe: CWE-689 Cwe: CWE-667 Cwe: CWE-665 Cwe: CWE-1223 Cwe: CWE-1254 Cwe: CWE-1298 Reference_from_capec: REF-1 Reference_from_capec: REF-105 Reference_from_capec: REF-106 Reference_from_capec: REF-107 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
High |
|
Medium: Being able to "run the race" requires basic knowledge of concurrent processing including synchonization techniques. | Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Fuzzing | Meta | In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionality testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. Fuzzing can help an attacker discover certain assumptions made about user input in the system. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions despite not necessarily knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve their goals. | 2014-06-23 02:00:00 |
Capec: CAPEC-28
Cwe: CWE-74 Cwe: CWE-20 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: There is a wide variety of fuzzing tools available. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Manipulating State | Meta | The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner. State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data. | 2014-06-23 02:00:00 |
Capec: CAPEC-74
Cwe: CWE-372 Cwe: CWE-315 Cwe: CWE-353 Cwe: CWE-693 Cwe: CWE-1245 Cwe: CWE-1253 Cwe: CWE-1265 Cwe: CWE-1271 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| Adversary in the Middle (AiTM) | Meta | An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components. | Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first flows through the adversary, who has the opportunity to observe or alter it, before being passed on to the intended recipient as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for these attacks yields an implicit lack of trust in communication or identify between two components. These attacks differ from Sniffing Attacks (CAPEC-157) since these attacks often modify the communications prior to delivering it to the intended recipient. | 2014-06-23 02:00:00 |
Capec: CAPEC-94
Cwe: CWE-300 Cwe: CWE-290 Cwe: CWE-593 Cwe: CWE-287 Cwe: CWE-294 Attack: T1557 Owasp Attacks: Man-in-the-middle attack Reference_from_capec: REF-553 Reference_from_capec: REF-633 Reference_from_capec: REF-634 Reference_from_capec: REF-635 Reference_from_capec: REF-636 |
2022-09-29 02:00:00 | 2.1 |
|
Integrity:
|
Communications Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: This attack can get sophisticated since the attack may use cryptography. | Stable | Very High | 3.9 | |||||||||||||||||||||||||||
| Brute Force | Meta | In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. | Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. | 2014-06-23 02:00:00 |
Capec: CAPEC-112
Cwe: CWE-330 Cwe: CWE-326 Cwe: CWE-521 Attack: T1110 Wasc: 11 Owasp Attacks: Brute force attack |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
Explore
Exploit
|
None |
|
|
Low: The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Interface Manipulation | Meta | An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way. | 2014-06-23 02:00:00 |
Capec: CAPEC-113
Cwe: CWE-1192 |
2021-06-24 02:00:00 | 2.1 |
Software Hardware |
|
None | Medium |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Authentication Abuse | Meta | An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. | This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns. | 2014-06-23 02:00:00 |
Capec: CAPEC-114
Cwe: CWE-287 Cwe: CWE-1244 Attack: T1548 |
2022-02-22 01:00:00 | 2.1 |
Software Hardware |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Authentication Bypass | Meta | An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. | This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users. | 2014-06-23 02:00:00 |
Capec: CAPEC-115
Cwe: CWE-287 Attack: T1548 Reference_from_capec: REF-598 |
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Excavation | Meta | An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. | This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data. As a result of these interactions, the adversary is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Examplar exchanges with the target may trigger unhandled exceptions or verbose error messages that reveal information like stack traces, configuration information, path information, or database design. This type of attack also includes the manipulation of query strings in a URI to produce invalid SQL queries, or by trying alternative path values in the hope that the server will return useful information. | 2014-06-23 02:00:00 |
Capec: CAPEC-116
Cwe: CWE-200 Cwe: CWE-1243 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Supply Chain Software Physical Security Hardware |
None | High |
|
|
Stable | Medium | 3.9 | |||||||||||||||||||||||||||||
| Interception | Meta | An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient. | 2014-06-23 02:00:00 |
Capec: CAPEC-117
Cwe: CWE-319 |
2021-06-24 02:00:00 | 2.1 |
Confidentiality:
|
Communications Software Physical Security |
None | Low |
|
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Privilege Abuse | Meta | An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non- privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. | If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level. | 2014-06-23 02:00:00 |
Capec: CAPEC-122
Cwe: CWE-269 Cwe: CWE-732 Cwe: CWE-1317 Attack: T1548 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
None | High |
|
|
Low: Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||
| Buffer Manipulation | Meta | An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory. | 2014-06-23 02:00:00 |
Capec: CAPEC-123
Cwe: CWE-119 |
2019-04-04 02:00:00 | 2.1 |
Availability:
|
Software |
None | High |
|
Draft | Very High | 3.9 | |||||||||||||||||||||||||||||||
| Shared Resource Manipulation | Meta | An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications. | 2014-06-23 02:00:00 |
Capec: CAPEC-124
Cwe: CWE-1189 Cwe: CWE-1331 |
2020-12-17 01:00:00 | 2.1 |
Software Hardware |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Flooding | Meta | An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target. | 2014-06-23 02:00:00 |
Capec: CAPEC-125
Cwe: CWE-404 Cwe: CWE-770 Attack: T1498.001 Attack: T1499 Wasc: 10 Owasp Attacks: Traffic flood |
2022-09-29 02:00:00 | 2.1 |
Availability:
|
Communications Software |
None | High |
|
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Pointer Manipulation | Meta | This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-129
Cwe: CWE-682 Cwe: CWE-822 Cwe: CWE-823 |
2019-04-04 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Excessive Allocation | Meta | An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request. | 2014-06-23 02:00:00 |
Capec: CAPEC-130
Cwe: CWE-404 Cwe: CWE-770 Cwe: CWE-1325 Attack: T1499.003 Wasc: 10 |
2020-12-17 01:00:00 | 2.1 |
Availability:
|
Communications Software |
|
None | Medium |
|
|
Stable | Medium | 3.9 | |||||||||||||||||||||||||||||
| Resource Leak Exposure | Meta | An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests. | Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed. In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack. Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target. | 2014-06-23 02:00:00 |
Capec: CAPEC-131
Cwe: CWE-404 Attack: T1499 Wasc: 10 |
2022-02-22 01:00:00 | 2.1 |
Availability:
|
Software |
None | Medium |
|
|
Stable | Medium | 3.9 | |||||||||||||||||||||||||||||
| Parameter Injection | Meta | An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new;_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example. | 2014-06-23 02:00:00 |
Capec: CAPEC-137
Cwe: CWE-88 |
2019-04-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Software |
None | Medium |
|
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Content Spoofing | Meta | An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes. | 2014-06-23 02:00:00 |
Capec: CAPEC-148
Cwe: CWE-345 Attack: T1491 Wasc: 12 Owasp Attacks: Content Spoofing |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Communications Software Hardware |
None | Medium |
|
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Identity Spoofing | Meta | Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. | Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content. | 2014-06-23 02:00:00 |
Capec: CAPEC-151
Cwe: CWE-287 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Social Engineering Communications Software Hardware |
None | Medium |
|
|
Stable | Medium | 3.9 | |||||||||||||||||||||||||||||
| Input Data Manipulation | Meta | An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target. | For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed. | 2014-06-23 02:00:00 |
Capec: CAPEC-153
Cwe: CWE-20 |
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Resource Location Spoofing | Meta | An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals. | 2014-06-23 02:00:00 |
Capec: CAPEC-154
Cwe: CWE-451 |
2023-01-24 01:00:00 | 2.1 |
Authorization:
|
Social Engineering Supply Chain Communications Software Hardware |
None | Medium |
|
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Infrastructure Manipulation | Meta | An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account. | 2014-06-23 02:00:00 |
Capec: CAPEC-161
Cwe: CWE-923 |
2023-01-24 01:00:00 | 2.1 |
Communications Software Hardware |
None | None |
|
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| File Manipulation | Meta | An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined. | 2014-06-23 02:00:00 |
Capec: CAPEC-165
Attack: T1036.003 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Footprinting | Meta | An adversary engages in probing and exploration activities to identify constituents and properties of the target. | Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. Although similar to fingerprinting, footprinting aims to get a more holistic view of a system or network, whereas fingerprinting is more targeted to a specific application or operating system. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-169
Cwe: CWE-200 Attack: T1217 Attack: T1592 Attack: T1595 Reference_from_capec: REF-31 Reference_from_capec: REF-32 Reference_from_capec: REF-33 Reference_from_capec: REF-34 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications Software |
|
Explore
|
High |
|
|
Low: The adversary knows how to send HTTP request, run the scan tool. | Stable | Very Low | 3.9 | |||||||||||||||||||||||||||
| DEPRECATED: Variable Manipulation | Meta | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-77 : Manipulating User-Controlled Variables". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-171
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Action Spoofing | Meta | An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface. | 2014-06-23 02:00:00 |
Capec: CAPEC-173
Cwe: CWE-451 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Social Engineering Software |
None | High |
|
Stable | Very High | 3.9 | |||||||||||||||||||||||||||||||
| Code Inclusion | Meta | An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application. | 2014-06-23 02:00:00 |
Capec: CAPEC-175
Cwe: CWE-829 |
2017-05-01 02:00:00 | 2.1 |
Software |
|
None | Medium |
|
|
Stable | Very High | 3.9 | ||||||||||||||||||||||||||||||
| Configuration/Environment Manipulation | Meta | An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-176
Cwe: CWE-15 Cwe: CWE-1233 Cwe: CWE-1234 Cwe: CWE-1304 Cwe: CWE-1328 Owasp Attacks: Setting Manipulation |
2021-06-24 02:00:00 | 2.1 |
Supply Chain Software Hardware |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Software Integrity Attack | Meta | An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state. | 2014-06-23 02:00:00 |
Capec: CAPEC-184
Cwe: CWE-494 |
2018-07-31 02:00:00 | 2.1 |
Social Engineering Supply Chain Software |
None | None |
|
Medium: Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code. | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Reverse Engineering | Meta | An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or "back engineer" some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices, or software, although the methodology and techniques involved in each type of analysis differ widely. | 2014-06-23 02:00:00 |
Capec: CAPEC-188
Cwe: CWE-1278 Reference_from_capec: REF-50 |
2023-01-24 01:00:00 | 2.1 |
Software Physical Security Hardware |
|
None | Low |
|
|
High: Understanding of low level programming languages or technologies can be very helpful. For example, when reverse engineering a binary file, an understanding of assembly languages can help to determine the purpose and inner-workings of the code. Another example is reverse engineering an application that relies on networking. Here, an understanding networking protocols can provide insight into application details. | Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Protocol Analysis | Meta | An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet- switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network. | Although certain techniques for protocol analysis benefit from manipulating live 'on-the-wire' interactions between communicating components, static or dynamic analysis techniques applied to executables as well as to device drivers, such as network interface drivers, can also be used to reveal the function and characteristics of a communication protocol implementation. Depending upon the methods used the process may involve observing, interacting, and modifying actual communications occurring between hosts. The goal of protocol analysis is to derive the data transmission syntax, as well as to extract the meaningful content, including packet or content delimiters used by the protocol. This type of analysis is often performed on closed- specification protocols, or proprietary protocols, but is also useful for analyzing publicly available specifications to determine how particular implementations deviate from published specifications. | 2014-06-23 02:00:00 |
Capec: CAPEC-192
Cwe: CWE-326 Reference_from_capec: REF-57 Reference_from_capec: REF-50 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Communications Hardware |
None | Low |
|
|
High: Knowlegde of the Open Systems Interconnection model (OSI model), and famililarity with Wireshark or some other packet analyzer. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||
| Functionality Misuse | Meta | An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data. | 2014-06-23 02:00:00 |
Capec: CAPEC-212
Cwe: CWE-1242 Cwe: CWE-1246 Cwe: CWE-1281 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
None | Medium |
|
Low: General computer knowledge about how applications are launched, how they interact with input/output, and how they are configured. | Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Communication Channel Manipulation | Meta | An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise. | 2014-06-23 02:00:00 |
Capec: CAPEC-216
Cwe: CWE-306 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Communications |
None | None |
|
|
Stable | None | 3.9 | ||||||||||||||||||||||||||||||
| Fingerprinting | Meta | An adversary compares output from a target system to known indicators that uniquely identify specific details about the target. Most commonly, fingerprinting is done to determine operating system and application versions. Fingerprinting can be done passively as well as actively. Fingerprinting by itself is not usually detrimental to the target. However, the information gathered through fingerprinting often enables an adversary to discover existing weaknesses in the target. | 2014-06-23 02:00:00 |
Capec: CAPEC-224
Cwe: CWE-200 Wasc: 45 |
2020-12-17 01:00:00 | 2.1 |
Confidentiality:
|
Software |
None | High |
|
|
Medium: Some fingerprinting activity requires very specific knowledge of how different operating systems respond to various TCP/IP requests. Application fingerprinting can be as easy as envoking the application with the correct command line argument, or mouse clicking in the appropriate place on the screen. | Stable | Very Low | 3.9 | |||||||||||||||||||||||||||||
| Sustained Client Engagement | Meta | An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource. | The degree to which the attack is successful depends upon the adversary's ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, as well as other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource leak exposures which tend to exploit the surrounding environment needed for the resource to function. The key factor in a sustainment attack are the repeated requests that take longer to process than usual. | 2014-06-23 02:00:00 |
Capec: CAPEC-227
Cwe: CWE-400 Attack: T1499 Wasc: 10 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||
| Privilege Escalation | Meta | An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform. | 2014-06-23 02:00:00 |
Capec: CAPEC-233
Cwe: CWE-269 Cwe: CWE-1264 Cwe: CWE-1311 Attack: T1548 Reference_from_capec: REF-600 |
2021-10-21 02:00:00 | 2.1 |
Software Hardware |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Resource Injection | Meta | An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource. | 2014-06-23 02:00:00 |
Capec: CAPEC-240
Cwe: CWE-99 Owasp Attacks: Resource Injection |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Communications Software |
None | High |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Code Injection | Meta | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-242 : Code Injection". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-241
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Code Injection | Meta | An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application. | 2014-06-23 02:00:00 |
Capec: CAPEC-242
Cwe: CWE-94 Owasp Attacks: Code Injection Reference_from_capec: REF-612 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
None | High |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| Command Injection | Meta | An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation. | 2014-06-23 02:00:00 |
Capec: CAPEC-248
Cwe: CWE-77 Owasp Attacks: Command Injection Reference_from_capec: REF-615 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Abuse of Transaction Data Structure | Meta | This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. | 2014-06-23 02:00:00 |
Capec: CAPEC-257
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Environment Variable Manipulation | Meta | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-13 : Subverting Environment Variable Values". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-264
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Global variable manipulation | Meta | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-77 : Manipulating User-Controlled Variables". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-265
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Manipulate Canonicalization | Meta | This attack pattern has been deprecated. | 2014-06-23 02:00:00 |
Capec: CAPEC-266
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Registry Manipulation | Meta | This pattern has been deprecated as it was determined to be a duplicate of another pattern. Please refer to the pattern CAPEC-203 : Manipulate Application Registry Values going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-269
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Protocol Manipulation | Meta | An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself. | 2014-06-23 02:00:00 |
Capec: CAPEC-272
|
2014-06-23 02:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: ICMP Echo Request Ping | Meta | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-285". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-288
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | Low | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Infrastructure-based footprinting | Meta | This attack pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the meta level pattern CAPEC-169 : going forward, or to any of its children patterns. | 2014-06-23 02:00:00 |
Capec: CAPEC-289
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Bypassing Physical Security | Meta | Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points. | 2014-06-23 02:00:00 |
Capec: CAPEC-390
Reference_from_capec: REF-33 |
2014-06-23 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| DEPRECATED: Social Information Gathering Attacks | Meta | This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information. | 2014-06-23 02:00:00 |
Capec: CAPEC-404
Reference_from_capec: REF-348 |
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Social Information Gathering via Research | Meta | This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information. | 2014-06-23 02:00:00 |
Capec: CAPEC-405
Reference_from_capec: REF-348 |
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Information Gathering from Traditional Sources | Meta | This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information. | 2014-06-23 02:00:00 |
Capec: CAPEC-408
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Information Gathering from Non-Traditional Sources | Meta | This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information. | 2014-06-23 02:00:00 |
Capec: CAPEC-409
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Information Elicitation | Meta | An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-410
Reference_from_capec: REF-348 |
2017-08-04 02:00:00 | 2.1 |
Social Engineering Software |
None | None | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||||
| DEPRECATED: Pretexting | Meta | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-407 : Social Information Gathering via Pretexting". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-411
|
2017-08-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Manipulate Human Behavior | Meta | An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the adversary's interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled adversary uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the adversary's speech and thought patterns. | 2014-06-23 02:00:00 |
Capec: CAPEC-416
Reference_from_capec: REF-348 |
2017-08-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
None | Medium |
|
Stable | Medium | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Target Influence via Perception of Concession | Meta | This attack pattern has been deprecated as it was deemed not to be a legitimate pattern. | 2014-06-23 02:00:00 |
Capec: CAPEC-419
|
2017-08-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Modification During Manufacture | Meta | An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality. | 2014-06-23 02:00:00 |
Capec: CAPEC-438
Attack: T1195 Reference_from_capec: REF-379 Reference_from_capec: REF-380 Reference_from_capec: REF-381 Reference_from_capec: REF-382 |
2021-06-24 02:00:00 | 2.1 |
Supply Chain Software Hardware |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Manipulation During Distribution | Meta | An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging. | 2014-06-23 02:00:00 |
Capec: CAPEC-439
Cwe: CWE-1269 Attack: T1195 Reference_from_capec: REF-379 Reference_from_capec: REF-384 Reference_from_capec: REF-382 |
2021-06-24 02:00:00 | 2.1 |
Supply Chain Hardware |
|
None | None | Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Hardware Integrity Attack | Meta | An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-440
Attack: T1195.003 Attack: T1200 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Physical Security Hardware |
None | Low |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| Malicious Logic Insertion | Meta | An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain. | 2014-06-23 02:00:00 |
Capec: CAPEC-441
Cwe: CWE-284 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software Hardware |
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| Physical Theft | Meta | An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time. | 2014-06-23 02:00:00 |
Capec: CAPEC-507
|
2014-06-23 02:00:00 | 2.1 |
Physical Security |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Contaminate Resource | Meta | An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. When this happens, the contaminated information system, device, or network must be brought offline to investigate and mitigate the data spill, which denies availability of the system until the investigation is complete. | Contamination through email is a very common attack vector. Systems with email servers or personal work systems using email are susceptible to this attack simply by receiving an email that contains a classified document or information. A fake classified document could even be used that is mistaken as true classified material. This would still cause the system to be taken offline until the validity of the classified material is confirmed. | 2014-06-23 02:00:00 |
Capec: CAPEC-548
Reference_from_capec: REF-742 Reference_from_capec: REF-743 |
2023-01-24 01:00:00 | 2.1 |
|
Availability:
|
Software Hardware |
|
None | Low |
|
Low: The ability to fake a classified document High: The ability to obtain a classified document or information | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Local Execution of Code | Meta | An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others. | 2015-11-09 01:00:00 |
Capec: CAPEC-549
Cwe: CWE-829 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
None | Medium |
|
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Functionality Bypass | Meta | An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary. | 2015-12-07 01:00:00 |
Capec: CAPEC-554
Cwe: CWE-424 Cwe: CWE-1299 |
2021-06-24 02:00:00 | 2.1 |
Software |
None | Medium | Draft | High | 3.9 | |||||||||||||||||||||||||||||||||
| Use of Known Domain Credentials | Meta | An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service. | Attacks leveraging trusted credentials typically result in the adversary laterally moving within the local network, since users are often allowed to login to systems/applications within the network using the same password. This further allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more. Attacks on known passwords generally rely on the primary fact that users often reuse the same username/password combination for a variety of systems, applications, and services, coupled with poor password policies on the target system or application. Adversaries can also utilize known passwords to target Single Sign On (SSO) or cloud-based applications and services, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data. | 2015-11-09 01:00:00 |
Capec: CAPEC-560
Cwe: CWE-522 Cwe: CWE-307 Cwe: CWE-308 Cwe: CWE-309 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-654 Cwe: CWE-1273 Attack: T1078 Reference_from_capec: REF-570 Reference_from_capec: REF-571 Reference_from_capec: REF-572 Reference_from_capec: REF-573 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: Once an adversary obtains a known credential, leveraging it is trivial. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Object Injection | Meta | An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution. | 2017-02-06 01:00:00 |
Capec: CAPEC-586
Cwe: CWE-502 Reference_from_capec: REF-468 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
None | Medium |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Traffic Injection | Meta | An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way. | 2017-01-03 01:00:00 |
Capec: CAPEC-594
Cwe: CWE-940 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Communications Software |
None | None |
|
|
Stable | None | 3.9 | ||||||||||||||||||||||||||||||
| DEPRECATED: Degradation | Meta | This attack pattern has been deprecated. | 2015-11-09 01:00:00 |
Capec: CAPEC-602
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Obstruction | Meta | An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or cause the system to stop working as intended. This can cause the system components to be unavailable until the obstruction mitigated. | 2015-11-09 01:00:00 |
Capec: CAPEC-607
|
2023-01-24 01:00:00 | 2.1 |
Availability:
|
Social Engineering Communications Software Physical Security Hardware |
None | None | Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Hardware Fault Injection | Meta | The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. | 2015-11-09 01:00:00 |
Capec: CAPEC-624
Cwe: CWE-1247 Cwe: CWE-1248 Cwe: CWE-1256 Cwe: CWE-1319 Cwe: CWE-1332 Cwe: CWE-1334 Cwe: CWE-1338 Cwe: CWE-1351 |
2022-09-29 02:00:00 | 2.1 |
|
Integrity:
|
Communications Hardware |
None | Low |
|
|
High: Adversaries require non-trivial technical skills to create and implement fault injection attacks. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| Metadata Spoofing | Meta | An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible. | One approach to this attack entails the adversary altering a maliciously modified resource's metadata in order to hide their malicious activity. Another approach involves altering the metadata of an adversary-created resource to make the source appear more credible. Adversaries may spoof a variety of metadata across a number of resources, such as the following: Authors of Version Control System (VCS) repository commits Open source package statistics File attributes, such as when a file was last update The ultimate goal of a Metadata Spoofing attack is to trick victims into believing the malicious resource being provided originates from a reputable source. However, the victim instead leverages the malicious resource, which could result in a number of negative technical impacts. | 2022-09-29 02:00:00 |
Capec: CAPEC-690
|
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Supply Chain Software |
None | Medium |
|
Medium: Ability to spoof a variety of metadata to convince victims the source is trusted | Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Eavesdropping on a Monitor | Meta | An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools | This attack gives the adversary the ability to view an external monitor with an insignificant delay. There is also no indicator of compromise from the victim visible on the monitor. The eavesdrop is possible due to a signal leakage, that is produced at different points of the connection, including the source port, the connection between the cable and PC, the cable itself, and the connection between the cable and the monitor. That signal leakage can be captured near any of the leak points, but also in a near location, like the next room or a few meters away, using an SDR (Software-defined Radio) device and the correspondent software, that process and interpret the signal to show attackers what the monitor is displaying. From the victim’s point of view, this specified attack might cause a high risk, and from the other hand, from the attacker’s point of view, the attack is excellent, since the specified attack method can be used without investing too much effort or require too many skills, as long as the right attack tool is in right place, this allows attackers to completely compromise the confidentiality of the data; also giving the attacker the advantage of being undetectable by not only traditional security products but also from bug sweep because the SDR device is acting in passive mode. | 2023-01-24 01:00:00 |
Capec: CAPEC-699
Cwe: CWE-1300 Reference_from_capec: REF-744 Reference_from_capec: REF-745 |
2023-01-24 01:00:00 | 2.1 |
Confidentiality:
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: Understanding of computing hardware, to identify the video cable and video ports Medium: Knowledge of how to use the SDR and related software: With this knowledge, the adversary will find the correct frequency where the signal is being leaked | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Accessing Functionality Not Properly Constrained by ACLs | Standard | In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to. | 2014-06-23 02:00:00 |
Capec: CAPEC-1
Cwe: CWE-276 Cwe: CWE-285 Cwe: CWE-434 Cwe: CWE-693 Cwe: CWE-732 Cwe: CWE-1191 Cwe: CWE-1193 Cwe: CWE-1220 Cwe: CWE-1297 Cwe: CWE-1311 Cwe: CWE-1314 Cwe: CWE-1315 Cwe: CWE-1318 Cwe: CWE-1320 Cwe: CWE-1321 Cwe: CWE-1327 Attack: T1574.010 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software Hardware |
|
Explore
Experiment
|
High |
|
|
Low: In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Inducing Account Lockout | Standard | An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-2
Cwe: CWE-645 Attack: T1531 |
2021-06-24 02:00:00 | 2.1 |
Availability:
|
Software |
|
Experiment
Exploit
|
High |
|
|
Low: No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Argument Injection | Standard | An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods. | 2014-06-23 02:00:00 |
Capec: CAPEC-6
Cwe: CWE-74 Cwe: CWE-146 Cwe: CWE-184 Cwe: CWE-78 Cwe: CWE-185 Cwe: CWE-697 Reference_from_capec: REF-1 Reference_from_capec: REF-482 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Choosing Message Identifier | Standard | This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one. | 2014-06-23 02:00:00 |
Capec: CAPEC-12
Cwe: CWE-201 Cwe: CWE-306 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications |
|
Explore
Experiment
|
High |
|
|
Low: All the adversary needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Command Delimiters | Standard | An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on. | 2014-06-23 02:00:00 |
Capec: CAPEC-15
Cwe: CWE-146 Cwe: CWE-77 Cwe: CWE-184 Cwe: CWE-78 Cwe: CWE-185 Cwe: CWE-93 Cwe: CWE-140 Cwe: CWE-157 Cwe: CWE-138 Cwe: CWE-154 Cwe: CWE-697 Reference_from_capec: REF-1 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Using Malicious Files | Standard | An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface. | 2014-06-23 02:00:00 |
Capec: CAPEC-17
Cwe: CWE-732 Cwe: CWE-285 Cwe: CWE-272 Cwe: CWE-59 Cwe: CWE-282 Cwe: CWE-270 Cwe: CWE-693 Attack: T1574.005 Attack: T1574.010 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To identify and execute against an over-privileged system interface | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Embedding Scripts within Scripts | Standard | An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. | The adversary must have the ability to inject their script into a script that is likely to be executed. If this is done, then the adversary can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an adversary can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. These attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. | 2014-06-23 02:00:00 |
Capec: CAPEC-19
Cwe: CWE-284 Attack: T1027.009 Attack: T1546.004 Attack: T1546.016 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: To load malicious script into open, e.g. world writable directory Medium: Executing remote scripts on host and collecting output | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| Encryption Brute Forcing | Standard | An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext. | 2014-06-23 02:00:00 |
Capec: CAPEC-20
Cwe: CWE-326 Cwe: CWE-327 Cwe: CWE-693 Cwe: CWE-1204 |
2021-06-24 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
Experiment
|
Low |
|
|
Low: Brute forcing encryption does not require much skill. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||
| File Content Injection | Standard | An adversary poisons files with a malicious payload (targeting the file systems accessible by the target software), which may be passed through by standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes, in order to exploit the host's trust in executing remote content, including binary files. | Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus. | 2014-06-23 02:00:00 |
Capec: CAPEC-23
Cwe: CWE-20 Reference_from_capec: REF-1 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
None | High |
|
Medium: How to poison a file with malicious payload that will exploit a vulnerability when the file is opened. The adversary must also know how to place the file onto a system where it will be opened by an unsuspecting party, or force the file to be opened. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions | Standard | This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly. | 2014-06-23 02:00:00 |
Capec: CAPEC-29
Cwe: CWE-367 Cwe: CWE-368 Cwe: CWE-366 Cwe: CWE-370 Cwe: CWE-362 Cwe: CWE-662 Cwe: CWE-691 Cwe: CWE-663 Cwe: CWE-665 Reference_from_capec: REF-131 Reference_from_capec: REF-107 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: This attack can get sophisticated since the attack has to occur within a short interval of time. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Hijacking a Privileged Thread of Execution | Standard | An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory. | 2014-06-23 02:00:00 |
Capec: CAPEC-30
Cwe: CWE-270 Attack: T1055.003 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Low |
|
|
High: Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Using Unpublished Interfaces or Functionality | Standard | An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for. | Adversaries can also search for undocumented bits on a hardware device, commonly known as "chicken bits". These bits are used to enable/disable certain functionality, but are not published. Adversaries can reverse engineer firmware to identify hidden features and change these bits at runtime to achieve malicious behavior. | 2014-06-23 02:00:00 |
Capec: CAPEC-36
Cwe: CWE-306 Cwe: CWE-693 Cwe: CWE-695 Cwe: CWE-1242 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: A number of web service digging tools are available for free that help discover exposed web services and their interfaces. In the event that a web service is not listed, the attacker does not need to know much more in addition to the format of web service messages that they can sniff/monitor for. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Manipulating Opaque Client-based Data Tokens | Standard | In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation. | 2014-06-23 02:00:00 |
Capec: CAPEC-39
Cwe: CWE-353 Cwe: CWE-285 Cwe: CWE-302 Cwe: CWE-472 Cwe: CWE-565 Cwe: CWE-315 Cwe: CWE-539 Cwe: CWE-384 Cwe: CWE-233 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
|
High |
|
|
High: If the client site token is encrypted. Medium: If the client site token is obfuscated. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Manipulating Writeable Terminal Devices | Standard | This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded. | 2014-06-23 02:00:00 |
Capec: CAPEC-40
Cwe: CWE-77 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
High |
|
|
Low: Ability to discover permissions on terminal devices. Of course, brute force can also be used. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Passing Local Filenames to Functions That Expect a URL | Standard | This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-48
Cwe: CWE-241 Cwe: CWE-706 Reference_from_capec: REF-1 Reference_from_capec: REF-416 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: Attacker identifies known local files to exploit | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Password Brute Forcing | Standard | An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password. | A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates. | 2014-06-23 02:00:00 |
Capec: CAPEC-49
Cwe: CWE-521 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-257 Cwe: CWE-654 Cwe: CWE-307 Cwe: CWE-308 Cwe: CWE-309 Attack: T1110.001 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
Medium |
|
|
Low: A brute force attack is very straightforward. A variety of password cracking tools are widely available. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Password Recovery Exploitation | Standard | An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. | Most of them use only one security question. For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme. | 2014-06-23 02:00:00 |
Capec: CAPEC-50
Cwe: CWE-522 Cwe: CWE-640 Reference_from_capec: REF-429 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Exploit
|
Medium |
|
|
Low: Brute force attack Medium: Social engineering and more sophisticated technical attacks. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Query System for Information | Standard | An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide. | 2014-06-23 02:00:00 |
Capec: CAPEC-54
Cwe: CWE-209 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||
| DEPRECATED: Removing/short-circuiting 'guard logic' | Standard | This attack pattern has been deprecated as it is a duplicate of CAPEC-207 : Removing Important Client Functionality. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-56
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Cross Site Request Forgery | Standard | An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie. | 2014-06-23 02:00:00 |
Capec: CAPEC-62
Cwe: CWE-352 Cwe: CWE-306 Cwe: CWE-664 Cwe: CWE-732 Cwe: CWE-1275 Wasc: 09 Owasp Attacks: Cross Site Request Forgery (CSRF) Reference_from_capec: REF-62 Reference_from_capec: REF-602 |
2021-06-24 02:00:00 | 2.1 |
|
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Cross-Site Scripting (XSS) | Standard | An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect. | 2014-06-23 02:00:00 |
Capec: CAPEC-63
Cwe: CWE-79 Cwe: CWE-20 Wasc: 08 Owasp Attacks: Cross Site Scripting (XSS) Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To achieve a redirection and use of less trusted source, an attacker can simply place a script in bulletin board, blog, wiki, or other user-generated content site that are echoed back to other client machines. High: Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| SQL Injection | Standard | This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. | When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to interact directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. | 2014-06-23 02:00:00 |
Capec: CAPEC-66
Cwe: CWE-89 Cwe: CWE-1286 Wasc: 19 Owasp Attacks: SQL Injection Reference_from_capec: REF-607 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Subvert Code-signing Facilities | Standard | Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-68
Cwe: CWE-325 Cwe: CWE-328 Cwe: CWE-1326 Attack: T1553.002 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software Hardware |
|
None | Low |
|
|
High: Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understanding of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory. Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Target Programs with Elevated Privileges | Standard | This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges. | 2014-06-23 02:00:00 |
Capec: CAPEC-69
Cwe: CWE-250 Cwe: CWE-15 Reference_from_capec: REF-1 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Software |
Explore
Exploit
|
High |
|
Low: An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique. Medium: More advanced attack may require knowledge of the protocol spoken by the host service. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||||
| User-Controlled Filename | Standard | An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities. | 2014-06-23 02:00:00 |
Capec: CAPEC-73
Cwe: CWE-20 Cwe: CWE-184 Cwe: CWE-96 Cwe: CWE-348 Cwe: CWE-116 Cwe: CWE-350 Cwe: CWE-86 Cwe: CWE-697 Reference_from_capec: REF-1 |
2017-05-01 02:00:00 | 2.1 |
Integrity:
|
Software |
|
None | High |
|
Low: To achieve a redirection and use of less trusted source, an attacker can simply edit data that the host uses to build the filename High: Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. Medium: Deploying a malicious "look-a-like" site (such as a site masquerading as a bank or online auction site) that the user enters their authentication data into. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Manipulating Writeable Configuration Files | Standard | Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users. | 2014-06-23 02:00:00 |
Capec: CAPEC-75
Cwe: CWE-349 Cwe: CWE-99 Cwe: CWE-77 Cwe: CWE-346 Cwe: CWE-353 Cwe: CWE-354 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
|
None | High |
|
Medium: To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||
| Manipulating User-Controlled Variables | Standard | This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables. | 2014-06-23 02:00:00 |
Capec: CAPEC-77
Cwe: CWE-15 Cwe: CWE-94 Cwe: CWE-96 Cwe: CWE-285 Cwe: CWE-302 Cwe: CWE-473 Cwe: CWE-1321 Reference_from_capec: REF-1 Reference_from_capec: REF-520 Reference_from_capec: REF-521 Reference_from_capec: REF-522 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: The malicious user can easily try some well-known global variables and find one which matches. Medium: The adversary can use automated tools to probe for variables that they can control. | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||
| DEPRECATED: Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) | Standard | This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads, CAPEC-231: XML Oversized Payloads, and CAPEC-147: XML Ping of Death. Please refer to these CAPECs going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-82
|
2019-09-30 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Forceful Browsing | Standard | An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected. | 2014-06-23 02:00:00 |
Capec: CAPEC-87
Cwe: CWE-425 Cwe: CWE-285 Cwe: CWE-693 Wasc: 34 Owasp Attacks: Forced browsing |
2020-12-17 01:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| OS Command Injection | Standard | In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system. | 2014-06-23 02:00:00 |
Capec: CAPEC-88
Cwe: CWE-78 Cwe: CWE-88 Cwe: CWE-20 Cwe: CWE-697 Wasc: 31 Reference_from_capec: REF-543 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
High: The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Pharming | Standard | A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed. | 2014-06-23 02:00:00 |
Capec: CAPEC-89
Cwe: CWE-346 Cwe: CWE-350 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Social Engineering |
|
Exploit
|
High |
|
|
Medium: The attacker needs to be able to poison the resolver - DNS entries or local hosts file or router entry pointing to a trusted DNS server - in order to successfully carry out a pharming attack. Setting up a fake website, identical to the targeted one, does not require special skills. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Reflection Attack in Authentication Protocol | Standard | An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication. | 2014-06-23 02:00:00 |
Capec: CAPEC-90
Cwe: CWE-301 Cwe: CWE-303 |
2021-10-21 02:00:00 | 2.1 |
Authorization:
|
Communications |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Cryptanalysis | Standard | Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits). | 2014-06-23 02:00:00 |
Capec: CAPEC-97
Cwe: CWE-327 Cwe: CWE-1204 Cwe: CWE-1240 Cwe: CWE-1241 Cwe: CWE-1279 Owasp Attacks: Cryptanalysis Reference_from_capec: REF-556 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications Hardware |
|
Explore
Exploit
|
Low |
|
|
High: Cryptanalysis generally requires a very significant level of understanding of mathematics and computation. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Phishing | Standard | Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information. | 2014-06-23 02:00:00 |
Capec: CAPEC-98
Cwe: CWE-451 Attack: T1566 Attack: T1598 Reference_from_capec: REF-656 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Social Engineering |
|
Explore
Exploit
|
High |
|
|
Medium: Basic knowledge about websites: obtaining them, designing and implementing them, etc. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| DEPRECATED: XML Parser Attack | Standard | This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-99
|
2019-09-30 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Overflow Buffers | Standard | Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. | 2014-06-23 02:00:00 |
Capec: CAPEC-100
Cwe: CWE-120 Cwe: CWE-119 Cwe: CWE-131 Cwe: CWE-129 Cwe: CWE-805 Cwe: CWE-680 Wasc: 07 Owasp Attacks: Buffer overflow attack Reference_from_capec: REF-620 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content. High: In cases of directed overflows, where the motive is to divert the flow of the program or application as per the adversaries' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Clickjacking | Standard | An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system. | While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on. | 2014-06-23 02:00:00 |
Capec: CAPEC-103
Cwe: CWE-1021 Owasp Attacks: Clickjacking Reference_from_capec: REF-619 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Software |
|
Experiment
Exploit
|
Medium |
|
|
High: Crafting the proper malicious site and luring the victim to this site are not trivial tasks. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Cross Zone Scripting | Standard | An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone- based web-browser security. | In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser. | 2014-06-23 02:00:00 |
Capec: CAPEC-104
Cwe: CWE-250 Cwe: CWE-638 Cwe: CWE-285 Cwe: CWE-116 Cwe: CWE-20 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality | Draft | High | 3.9 | |||||||||||||||||||||||||||
| JSON Hijacking (aka JavaScript Hijacking) | Standard | An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. | An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON. | 2014-06-23 02:00:00 |
Capec: CAPEC-111
Cwe: CWE-345 Cwe: CWE-346 Cwe: CWE-352 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Exploit Non-Production Interfaces | Standard | An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable. | Non-production interfaces are insecure by default and should not be resident on production systems, since they may reveal sensitive information or functionality that should not be known to end-users. However, such interfaces may be unintentionally left enabled on a production system due to configuration errors, supply chain mismanagement, or other pre-deployment activities. Ultimately, failure to properly disable non-production interfaces, in a production environment, may expose a great deal of diagnostic information or functionality to an adversary, which can be utilized to further refine their attack. Moreover, many non-production interfaces do not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may contain many flaws and vulnerabilities that could allow an adversary to severely disrupt a target. | 2014-06-23 02:00:00 |
Capec: CAPEC-121
Cwe: CWE-489 Cwe: CWE-1209 Cwe: CWE-1259 Cwe: CWE-1267 Cwe: CWE-1270 Cwe: CWE-1294 Cwe: CWE-1295 Cwe: CWE-1296 Cwe: CWE-1302 Cwe: CWE-1313 Reference_from_capec: REF-588 Reference_from_capec: REF-589 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Exploit
|
Low |
|
|
High: Exploiting non-production interfaces requires significant skill and knowledge about the potential non-production interfaces left enabled in production. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Path Traversal | Standard | An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files. | 2014-06-23 02:00:00 |
Capec: CAPEC-126
Cwe: CWE-22 Wasc: 33 Owasp Attacks: Path Traversal Reference_from_capec: REF-1 Reference_from_capec: REF-9 Reference_from_capec: REF-10 |
2022-09-29 02:00:00 | 2.1 |
|
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: Simple command line attacks or to inject the malicious payload in a web page. Medium: Customizing attacks to bypass non trivial filters in the application. | Draft | Very High | 3.9 | |||||||||||||||||||||||||||
| Integer Attacks | Standard | An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats. | 2014-06-23 02:00:00 |
Capec: CAPEC-128
Cwe: CWE-682 |
2017-08-04 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Try All Common Switches | Standard | An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality. | 2014-06-23 02:00:00 |
Capec: CAPEC-133
Cwe: CWE-912 |
2021-10-21 02:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Email Injection | Standard | An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol. | Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to "share this site with a friend" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character. | 2014-06-23 02:00:00 |
Capec: CAPEC-134
Cwe: CWE-150 Wasc: 30 |
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Format String Injection | Standard | An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack. | 2014-06-23 02:00:00 |
Capec: CAPEC-135
Cwe: CWE-134 Cwe: CWE-20 Cwe: CWE-74 Owasp Attacks: Format string attack Reference_from_capec: REF-14 Reference_from_capec: REF-15 Reference_from_capec: REF-616 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
High: In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the adversary. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| LDAP Injection | Standard | An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value. | 2014-06-23 02:00:00 |
Capec: CAPEC-136
Cwe: CWE-77 Cwe: CWE-90 Cwe: CWE-20 Wasc: 29 Owasp Attacks: LDAP Injection Reference_from_capec: REF-17 Reference_from_capec: REF-608 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
|
High |
|
Medium: The attacker needs to have knowledge of LDAP, especially its query syntax. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Reflection Injection | Standard | An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application. | 2014-06-23 02:00:00 |
Capec: CAPEC-138
Cwe: CWE-470 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Very High | 3.9 | |||||||||||||||||||||||||||||||
| Bypassing of Intermediate Forms in Multiple-Form Sets | Standard | Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre- populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application. | 2014-06-23 02:00:00 |
Capec: CAPEC-140
Cwe: CWE-372 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Cache Poisoning | Standard | An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value. | 2014-06-23 02:00:00 |
Capec: CAPEC-141
Cwe: CWE-348 Cwe: CWE-345 Cwe: CWE-349 Cwe: CWE-346 Attack: T1557.002 Owasp Attacks: Cache Poisoning Reference_from_capec: REF-22 Reference_from_capec: REF-23 Reference_from_capec: REF-24 Reference_from_capec: REF-599 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: To overwrite/modify targeted cache | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Collect Data from Common Resource Locations | Standard | An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-150
Cwe: CWE-552 Cwe: CWE-1239 Cwe: CWE-1258 Cwe: CWE-1266 Cwe: CWE-1272 Cwe: CWE-1323 Cwe: CWE-1330 Attack: T1003 Attack: T1119 Attack: T1213 Attack: T1530 Attack: T1555 Attack: T1602 |
2023-01-24 01:00:00 | 2.1 |
Software Physical Security Hardware |
|
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Sniffing Attacks | Standard | In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves. | 2014-06-23 02:00:00 |
Capec: CAPEC-157
Cwe: CWE-311 |
2022-02-22 01:00:00 | 2.1 |
Confidentiality:
|
Communications Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Redirect Access to Libraries | Standard | An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation. | 2014-06-23 02:00:00 |
Capec: CAPEC-159
Cwe: CWE-706 Attack: T1574.008 Reference_from_capec: REF-29 Reference_from_capec: REF-30 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: To modify the entries in the configuration file pointing to malicious libraries High: To reverse engineering the libraries and inject malicious code into the libraries Medium: To force symlink and timing issues for redirecting access to libraries | Stable | Very High | 3.9 | |||||||||||||||||||||||||||||
| Exploit Script-Based APIs | Standard | Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support | 2014-06-23 02:00:00 |
Capec: CAPEC-160
Cwe: CWE-346 |
2021-10-21 02:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Force the System to Reset Values | Standard | An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. | Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices. | 2014-06-23 02:00:00 |
Capec: CAPEC-166
Cwe: CWE-306 Cwe: CWE-1221 Cwe: CWE-1232 |
2022-02-22 01:00:00 | 2.1 |
Software Hardware |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| White Box Reverse Engineering | Standard | An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. | 2014-06-23 02:00:00 |
Capec: CAPEC-167
Cwe: CWE-1323 |
2023-01-24 01:00:00 | 2.1 |
Software Physical Security Hardware |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Calling Micro-Services Directly | Standard | An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere. | However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns. | 2014-06-23 02:00:00 |
Capec: CAPEC-179
|
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Exploiting Incorrectly Configured Access Control Security Levels | Standard | An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. | Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured. | 2014-06-23 02:00:00 |
Capec: CAPEC-180
Cwe: CWE-732 Cwe: CWE-1190 Cwe: CWE-1191 Cwe: CWE-1193 Cwe: CWE-1220 Cwe: CWE-1268 Cwe: CWE-1280 Cwe: CWE-1297 Cwe: CWE-1311 Cwe: CWE-1315 Cwe: CWE-1318 Cwe: CWE-1320 Cwe: CWE-1321 Attack: T1574.010 Reference_from_capec: REF-29 Reference_from_capec: REF-30 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||
| Flash Injection | Standard | An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker. | 2014-06-23 02:00:00 |
Capec: CAPEC-182
Cwe: CWE-20 Cwe: CWE-184 Cwe: CWE-697 Reference_from_capec: REF-46 Reference_from_capec: REF-47 Reference_from_capec: REF-48 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: The attacker needs to have knowledge of Flash, especially how to insert content the executes commands. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| IMAP/SMTP Command Injection | Standard | An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back- end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands. | 2014-06-23 02:00:00 |
Capec: CAPEC-183
Cwe: CWE-77 Reference_from_capec: REF-49 |
2022-02-22 01:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Malicious Software Download | Standard | An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-185
Cwe: CWE-494 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||||||
| Malicious Software Update | Standard | An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source. | Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an adversary to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity. As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source. Virtually all software requires frequent updates or patches, giving the adversary immense latitude when structuring the attack, as well as many targets of opportunity. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters. | 2014-06-23 02:00:00 |
Capec: CAPEC-186
Cwe: CWE-494 Attack: T1195.002 Reference_from_capec: REF-697 |
2022-09-29 02:00:00 | 2.1 |
Availability:
|
Social Engineering Supply Chain Software |
|
Explore
Experiment
Exploit
|
None |
|
High: This attack requires advanced cyber capabilities | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Black Box Reverse Engineering | Standard | An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds. | 2014-06-23 02:00:00 |
Capec: CAPEC-189
Cwe: CWE-203 Cwe: CWE-1255 Cwe: CWE-1300 |
2022-02-22 01:00:00 | 2.1 |
Software Physical Security Hardware |
None | None |
|
Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||
| Fake the Source of Data | Standard | An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation. | 2014-06-23 02:00:00 |
Capec: CAPEC-194
Cwe: CWE-287 Wasc: 38 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Software Hardware |
None | None |
|
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Principal Spoof | Standard | A Principal Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principal Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity. | The possible outcomes of a Principal Spoof mirror those of Identity Spoofing. (e.g., escalation of privilege and false attribution of data or activities) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoof attack. However, because a Principal Spoof is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name). | 2014-06-23 02:00:00 |
Capec: CAPEC-195
|
2023-01-24 01:00:00 | 2.1 |
Social Engineering Communications |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Session Credential Falsification through Forging | Standard | An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials. | 2014-06-23 02:00:00 |
Capec: CAPEC-196
Cwe: CWE-384 Cwe: CWE-664 Attack: T1134.002 Attack: T1134.003 Attack: T1606 Reference_from_capec: REF-62 Reference_from_capec: REF-63 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: Forge the session credential and reply the request. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Create Malicious Client | Standard | An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures. | For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality. For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit. | 2014-06-23 02:00:00 |
Capec: CAPEC-202
Cwe: CWE-602 |
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Manipulate Registry Information | Standard | An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end. | 2014-06-23 02:00:00 |
Capec: CAPEC-203
Cwe: CWE-15 Attack: T1112 Attack: T1647 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
None | None |
|
|
High: The adversary requires privileged credentials or the development/acquiring of a tailored remote access tool. | Stable | Medium | 3.9 | |||||||||||||||||||||||||||||
| Removing Important Client Functionality | Standard | An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy. | Adversaries can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an adversary can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources. | 2014-06-23 02:00:00 |
Capec: CAPEC-207
Cwe: CWE-602 Reference_from_capec: REF-75 Reference_from_capec: REF-76 Reference_from_capec: REF-77 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: The adversary installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools. High: To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| DEPRECATED: Directory Traversal | Standard | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-126 : Path Traversal". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-213
|
2017-08-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Exploiting Incorrectly Configured SSL/TLS | Standard | An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server. | SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4. | 2014-06-23 02:00:00 |
Capec: CAPEC-217
Cwe: CWE-201 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications |
|
Explore
Experiment
Exploit
|
Low |
|
|
High: The adversary needs real-time access to network traffic in such a manner that the adversary can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles. | Draft | None | 3.9 | |||||||||||||||||||||||||||
| XML Routing Detour Attacks | Standard | An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information. | 2014-06-23 02:00:00 |
Capec: CAPEC-219
Cwe: CWE-441 Cwe: CWE-610 Wasc: 32 Wasc: 44 Reference_from_capec: REF-80 Reference_from_capec: REF-81 Reference_from_capec: REF-65 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Communications Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To inject a bogus node in the XML routing table | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Client-Server Protocol Manipulation | Standard | An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions. | For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions. | 2014-06-23 02:00:00 |
Capec: CAPEC-220
Cwe: CWE-757 |
2022-02-22 01:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Serialized Data with Nested Payloads | Standard | Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. | An adversary's goal is to leverage parser failure to their advantage. In most cases this type of an attack will result in a Denial of Service due to an application becoming unstable, freezing, or crashing. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89]. This attack is most closely associated with web services using SOAP or a Rest API, because remote service requesters can post malicious payloads to the service provider. The main weakness is that the service provider generally must inspect, parse, and validate the messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that this attack targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends. | 2014-06-23 02:00:00 |
Capec: CAPEC-230
Cwe: CWE-112 Cwe: CWE-20 Cwe: CWE-674 Cwe: CWE-770 Reference_from_capec: REF-89 |
2021-10-21 02:00:00 | 2.1 |
|
Integrity:
|
Software |
Explore
Exploit
|
Medium |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Oversized Serialized Data Payloads | Standard | An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution. | Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends. | 2014-06-23 02:00:00 |
Capec: CAPEC-231
Cwe: CWE-112 Cwe: CWE-20 Cwe: CWE-674 Cwe: CWE-770 Reference_from_capec: REF-89 |
2022-09-29 02:00:00 | 2.1 |
|
Integrity:
|
Software |
Explore
Experiment
|
Medium |
|
Low: Denial of service High: Arbitrary code execution | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Hijacking a privileged process | Standard | An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code. | 2014-06-23 02:00:00 |
Capec: CAPEC-234
Cwe: CWE-732 Cwe: CWE-648 |
2021-10-21 02:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Linux Terminal Injection | Standard | This attack pattern has been deprecated as it is covered by "CAPEC-40 : Manipulating Writeable Terminal Devices". Please refer to this CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-249
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| XML Injection | Standard | An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information. | 2014-06-23 02:00:00 |
Capec: CAPEC-250
Cwe: CWE-91 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-707 Wasc: 23 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: An attacker must have knowledge of XML syntax and constructs in order to successfully leverage XML Injection | Draft | None | 3.9 | ||||||||||||||||||||||||||||
| Local Code Inclusion | Standard | The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways. | 2014-06-23 02:00:00 |
Capec: CAPEC-251
Cwe: CWE-829 Attack: T1055 Reference_from_capec: REF-613 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
None | None |
|
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Remote Code Inclusion | Standard | The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways. | 2014-06-23 02:00:00 |
Capec: CAPEC-253
Cwe: CWE-829 Wasc: 05 Reference_from_capec: REF-614 |
2021-06-24 02:00:00 | 2.1 |
Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching | Standard | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-65 : Sniff Application Code". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-259
|
2017-08-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Leverage Alternate Encoding | Standard | An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard. | 2014-06-23 02:00:00 |
Capec: CAPEC-267
Cwe: CWE-173 Cwe: CWE-172 Cwe: CWE-180 Cwe: CWE-181 Cwe: CWE-73 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-692 Attack: T1027 Reference_from_capec: REF-108 Reference_from_capec: REF-109 Reference_from_capec: REF-110 Reference_from_capec: REF-69 Reference_from_capec: REF-112 Reference_from_capec: REF-113 Reference_from_capec: REF-114 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
|
High |
|
Low: An adversary can inject different representation of a filtered character in a different encoding. Medium: An adversary may craft subtle encoding of input data by using the knowledge that they have gathered about the target host. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Audit Log Manipulation | Standard | The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions. | 2014-06-23 02:00:00 |
Capec: CAPEC-268
Cwe: CWE-117 Attack: T1070 Attack: T1562.002 Attack: T1562.003 Attack: T1562.008 Owasp Attacks: Log Injection |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| Schema Poisoning | Standard | An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data. | 2014-06-23 02:00:00 |
Capec: CAPEC-271
Cwe: CWE-15 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Low |
|
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Inter-component Protocol Manipulation | Standard | Inter-component protocols are used to communicate between different software and hardware modules within a single computer. Common examples are: interrupt signals and data pipes. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself. | 2014-06-23 02:00:00 |
Capec: CAPEC-276
Cwe: CWE-707 |
2018-07-31 02:00:00 | 2.1 |
Communications Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Data Interchange Protocol Manipulation | Standard | Data Interchange Protocols are used to transmit structured data between entities. These protocols are often specific to a particular domain (B2B: purchase orders, invoices, transport logistics and waybills, medical records). They are often, but not always, XML-based. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself. | 2014-06-23 02:00:00 |
Capec: CAPEC-277
Cwe: CWE-707 |
2019-04-04 02:00:00 | 2.1 |
Communications Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Web Services Protocol Manipulation | Standard | An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash. | 2014-06-23 02:00:00 |
Capec: CAPEC-278
Cwe: CWE-707 |
2019-04-04 02:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| Host Discovery | Standard | An adversary sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. The adversary usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep,' where a particular kind of ping is sent to a range of IP addresses. | 2014-06-23 02:00:00 |
Capec: CAPEC-292
Cwe: CWE-200 Attack: T1018 Reference_from_capec: REF-33 Reference_from_capec: REF-34 |
2020-12-17 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
None | None |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Port Scanning | Standard | An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. | Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration. Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host. | 2014-06-23 02:00:00 |
Capec: CAPEC-300
Cwe: CWE-200 Attack: T1046 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-158 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
None | None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Network Topology Mapping | Standard | An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute. | 2014-06-23 02:00:00 |
Capec: CAPEC-309
Cwe: CWE-200 Attack: T1016 Attack: T1049 Attack: T1590 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-130 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | None |
|
|
Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| DEPRECATED: OS Fingerprinting | Standard | This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the standard level patterns CAPEC-312 : Active OS Fingerprinting or CAPEC-313 : Passive OS Fingerprinting going forward, or to any of the detailed patterns that are children of them. | 2014-06-23 02:00:00 |
Capec: CAPEC-311
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Active OS Fingerprinting | Standard | An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions. | 2014-06-23 02:00:00 |
Capec: CAPEC-312
Cwe: CWE-200 Attack: T1082 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 Reference_from_capec: REF-130 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Passive OS Fingerprinting | Standard | An adversary engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods, it is generally better able to evade detection. | 2014-06-23 02:00:00 |
Capec: CAPEC-313
Cwe: CWE-200 Attack: T1082 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 Reference_from_capec: REF-130 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
None | High |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| DEPRECATED: IP Fingerprinting Probes | Standard | This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward, or to any of the detailed patterns that children of CAPEC-312. | 2014-06-23 02:00:00 |
Capec: CAPEC-314
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: TCP/IP Fingerprinting Probes | Standard | This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward, or to any of the detailed patterns that are children of CAPEC-312. | 2014-06-23 02:00:00 |
Capec: CAPEC-315
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: ICMP Fingerprinting Probes | Standard | This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward, or to any of the detailed patterns that are children of CAPEC-312. | 2014-06-23 02:00:00 |
Capec: CAPEC-316
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Application API Message Manipulation via Man-in-the-Middle | Standard | An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in- the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application- layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client. | 2014-06-23 02:00:00 |
Capec: CAPEC-384
Cwe: CWE-471 Cwe: CWE-345 Cwe: CWE-346 Cwe: CWE-602 Cwe: CWE-311 Reference_from_capec: REF-327 |
2021-06-24 02:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Application API Navigation Remapping | Standard | An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud. | 2014-06-23 02:00:00 |
Capec: CAPEC-386
Cwe: CWE-471 Cwe: CWE-345 Cwe: CWE-346 Cwe: CWE-602 Cwe: CWE-311 Reference_from_capec: REF-327 |
2021-06-24 02:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Bypassing Physical Locks | Standard | An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures. | 2014-06-23 02:00:00 |
Capec: CAPEC-391
Reference_from_capec: REF-33 |
2019-09-30 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Bypassing Electronic Locks and Access Controls | Standard | An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms. | 2014-06-23 02:00:00 |
Capec: CAPEC-395
Reference_from_capec: REF-33 |
2014-06-23 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| DEPRECATED: Bypassing Card or Badge-Based Systems | Standard | This attack pattern has been deprecated as it a generalization of CAPEC-397: Cloning Magnetic Strip Cards, CAPEC-398: Magnetic Strip Card Brute Force Attacks, CAPEC-399: Cloning RFID Cards or Chips and CAPEC-400: RFID Chip Deactivation or Destruction. Please refer to these CAPECs going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-396
|
2019-09-30 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Physically Hacking Hardware | Standard | An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-401
Cwe: CWE-1263 |
2020-07-30 02:00:00 | 2.1 |
Supply Chain Physical Security Hardware |
|
None | Low | Stable | High | 3.9 | ||||||||||||||||||||||||||||||||
| Pretexting | Standard | An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. | Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems. Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. | 2014-06-23 02:00:00 |
Capec: CAPEC-407
Attack: T1589 Reference_from_capec: REF-348 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Social Engineering Social Engineering Software |
|
None | Medium |
|
Low: The adversary requires strong inter-personal and communication skills. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||
| Influence Perception | Standard | The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves. This goal is to persuade the target to unknowingly perform an action or divulge information that is advantageous to the adversary. | 2014-06-23 02:00:00 |
Capec: CAPEC-417
Reference_from_capec: REF-348 Reference_from_capec: REF-360 |
2017-08-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
None | High |
|
|
Low: The adversary requires strong inter-personal and communication skills. | Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Target Influence via Framing | Standard | An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the adversary's perspective. One technique of framing is to avoid the use of the word "No" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the adversary. | 2014-06-23 02:00:00 |
Capec: CAPEC-425
Reference_from_capec: REF-348 |
2020-12-17 01:00:00 | 2.1 |
Confidentiality:
|
Social Engineering |
None | Low |
|
Low: The adversary requires strong inter-personal and communication skills. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Influence via Incentives | Standard | The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ideological incentivization. Examples include monetary fraud, peer pressure, and preying on the target's morals or ethics. The most effective incentive against one target might not be as effective against another, therefore the adversary must gather information about the target's vulnerability to particular incentives. | 2014-06-23 02:00:00 |
Capec: CAPEC-426
Reference_from_capec: REF-348 |
2017-08-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
None | Low |
|
Low: The adversary requires strong inter-personal and communication skills. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Influence via Psychological Principles | Standard | The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and social psychology. In a variety of ways, a target can be influenced to behave or perform an action through capitalizing on what scholarship and research has learned about how and why humans react to specific scenarios and cues. | 2014-06-23 02:00:00 |
Capec: CAPEC-427
Reference_from_capec: REF-348 |
2017-08-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
None | Low |
|
Low: The adversary requires strong inter-personal and communication skills. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Infected Software | Standard | An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain. | 2014-06-23 02:00:00 |
Capec: CAPEC-442
Cwe: CWE-506 Attack: T1195.001 Attack: T1195.002 Reference_from_capec: REF-387 |
2023-01-24 01:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| Development Alteration | Standard | An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time. | 2014-06-23 02:00:00 |
Capec: CAPEC-444
|
2018-07-31 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Software Hardware |
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| Design Alteration | Standard | An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time. | 2014-06-23 02:00:00 |
Capec: CAPEC-447
|
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Hardware |
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Malware Propagation via USB U3 Autorun | Standard | This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Embed Virus into DLL. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-450
|
2022-09-29 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Infected Hardware | Standard | An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user of the hardware and works behind the scenes to achieve negative impacts. This pattern of attack focuses on hardware already fielded and used in operation as opposed to hardware that is still under development and part of the supply chain. | 2014-06-23 02:00:00 |
Capec: CAPEC-452
|
2023-01-24 01:00:00 | 2.1 |
Authorization:
|
Software Hardware |
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Malicious Logic Insertion via Counterfeit Hardware | Standard | This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-453
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Infected Memory | Standard | An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain. | 2014-06-23 02:00:00 |
Capec: CAPEC-456
Cwe: CWE-1257 Cwe: CWE-1260 Cwe: CWE-1274 Cwe: CWE-1312 Cwe: CWE-1316 |
2023-01-24 01:00:00 | 2.1 |
Authorization:
|
Software Hardware |
|
None | Medium | Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| Web Services API Signature Forgery Leveraging Hash Function Extension Weakness | Standard | An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service. | When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, for an adversary to conduct signature forgery by computing the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1. | 2014-06-23 02:00:00 |
Capec: CAPEC-461
Cwe: CWE-328 Cwe: CWE-290 Reference_from_capec: REF-398 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
Explore
Experiment
Exploit
|
None |
|
|
Medium: Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Evercookie | Standard | An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers. | The places a persistent cookie is stored on a victim's machine include: Standard HTTP Cookies, Local Shared Objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force- cached, PNGs using HTML5 Canvas tag to read pixels (cookies) back out, Storing cookies in Web History, Storing cookies in HTTP ETags, Storing cookies in Web cache, window.name caching, Internet Explorer userData storage, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, HTML5 Database Storage via SQLite, among others. | 2014-06-23 02:00:00 |
Capec: CAPEC-464
Cwe: CWE-359 Attack: T1606.001 Reference_from_capec: REF-401 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Transparent Proxy Abuse | Standard | A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client. | Transparent proxies are often used by enterprises and ISPs. For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination. A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy. | 2014-06-23 02:00:00 |
Capec: CAPEC-465
Cwe: CWE-441 Attack: T1090.001 Reference_from_capec: REF-402 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None |
|
Medium: Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy | Standard | An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non- sensitive website that does not use TLS. | When an attacker intercepts a response bound to the victim, an attacker adds an iFrame (which is possibly invisible) to the response referencing some domain with sensitive functionality and forwards the response to the victim. The victim's browser than automatically initiates an unauthorized request to the site with sensitive functionality. The same origin policy would prevent making these requests to a site other than the one from which the Java Script came, but the attacker once again uses active adversary in the middle to intercept these automatic requests and redirect them to the domain / service with sensitive functionality. Any persistent cookies that the victim has in their browser would be used for these unauthorized requests. The attacker thus actively directs the victim to a site with sensitive functionality. When the site with sensitive functionality responds back to the victim's request, an active adversary in the middle attacker intercepts these responses, injects their own malicious Java Script into these responses, and forwards to the victim's browser. In the victim's browser, that Java Script executes under the restrictions of the site with sensitive functionality and can be used to continue to interact with the sensitive site. So an attacker can execute scripts within the victim's browser on any domains the attacker desires. The attacker is able to use this technique to steal cookies from the victim's browser for whatever site the attacker wants. This applies to both persistent cookies and HTTP only cookies (unlike traditional XSS attacks). An attacker is also able to use this technique to steal authentication credentials for sites that only encrypt the login form, but do not require a secure channel for the initial request to get to the page with the login form. Further the attacker is also able to steal any autocompletion information. This attack pattern can also be used to enable session fixation and cache poisoning attacks. Additional attacks can be enabled as well. | 2014-06-23 02:00:00 |
Capec: CAPEC-466
Cwe: CWE-300 Reference_from_capec: REF-403 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
None | None |
|
Low: Ability to intercept and modify requests / responses Medium: Solid understanding of the HTTP protocol | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Generic Cross-Browser Cross-Domain Theft | Standard | An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser. | By having control of some text in the victim's domain, the attacker is able to inject a seemingly valid CSS string. It does not matter if this CSS string is preceded by other data. The CSS parser will still locate the CSS string. If the attacker is able to control two injection points, one before the cross domain data that the attacker is interested in receiving and the other one after, the attacker can use this attack to steal all of the data in between these two CSS injection points when referencing the injected CSS while performing rendering on the site that the attacker controls. When rendering, the CSS parser will detect the valid CSS string to parse and ignore the data that "does not make sense". That data will simply be rendered. That data is in fact the data that the attacker just stole cross domain. The stolen data may contain sensitive information, such CSRF protection tokens. | 2014-06-23 02:00:00 |
Capec: CAPEC-468
Cwe: CWE-707 Cwe: CWE-149 Cwe: CWE-177 Cwe: CWE-838 Reference_from_capec: REF-405 |
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
High: Ability to craft a CSS injection | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| HTTP DoS | Standard | An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted. | 2014-06-23 02:00:00 |
Capec: CAPEC-469
Cwe: CWE-770 Cwe: CWE-772 Attack: T1499.002 Reference_from_capec: REF-406 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Signature Spoof | Standard | An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions. | 2014-06-23 02:00:00 |
Capec: CAPEC-473
Cwe: CWE-20 Cwe: CWE-327 Cwe: CWE-290 Attack: T1036.001 Attack: T1553.002 |
2022-09-29 02:00:00 | 2.1 |
Access Control:
|
Software |
|
None | None |
|
High: Technical understanding of how signature verification algorithms work with data and applications | Draft | None | 3.9 | |||||||||||||||||||||||||||||
| Escaping Virtualization | Standard | An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks. | 2019-09-30 02:00:00 |
Capec: CAPEC-480
Cwe: CWE-693 Attack: T1611 |
2021-10-21 02:00:00 | 2.1 |
Authorization:
|
Software |
Explore
Experiment
Exploit
|
Low | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||||||
| Contradictory Destinations in Traffic Routing Schemes | Standard | Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank. | 2019-04-04 02:00:00 |
Capec: CAPEC-481
Cwe: CWE-923 Attack: T1090.004 |
2023-01-24 01:00:00 | 2.1 |
Confidentiality:
|
Communications Software |
None | Medium |
|
Medium: The adversary must have some knowledge of how messages are routed. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| TCP Flood | Standard | An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages. | 2014-06-23 02:00:00 |
Capec: CAPEC-482
Cwe: CWE-770 Attack: T1498.001 Attack: T1499.001 Attack: T1499.002 |
2022-09-29 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| DEPRECATED: XML Client-Side Attack | Standard | This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-484
|
2019-09-30 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| UDP Flood | Standard | An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-486
Cwe: CWE-770 |
2022-09-29 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| ICMP Flood | Standard | An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-487
Cwe: CWE-770 |
2022-09-29 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| HTTP Flood | Standard | An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect. | 2014-06-23 02:00:00 |
Capec: CAPEC-488
Cwe: CWE-770 Attack: T1499.002 Reference_from_capec: REF-751 |
2023-01-24 01:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| SSL Flood | Standard | An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users. | 2014-06-23 02:00:00 |
Capec: CAPEC-489
Cwe: CWE-770 Attack: T1499.002 |
2022-09-29 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Amplification | Standard | An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-490
Cwe: CWE-770 Attack: T1498.002 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Regular Expression Exponential Blowup | Standard | An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions. | The algorithm builds a finite state machine and based on the input transitions through all the states until the end of the input is reached. NFA engines may evaluate each character in the input string multiple times during the backtracking. The algorithm tries each path through the NFA one by one until a match is found; the malicious input is crafted so every path is tried which results in a failure. Exploitation of the Regex results in programs hanging or taking a very long time to complete. These attacks may target various layers of the Internet due to regular expressions being used in validation. | 2014-06-23 02:00:00 |
Capec: CAPEC-492
Cwe: CWE-400 Cwe: CWE-1333 Owasp Attacks: Regular expression Denial of Service - ReDoS Reference_from_capec: REF-421 |
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| SOAP Array Blowup | Standard | An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service. | 2014-06-23 02:00:00 |
Capec: CAPEC-493
Cwe: CWE-770 Reference_from_capec: REF-422 |
2019-09-30 02:00:00 | 2.1 |
Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| TCP Fragmentation | Standard | An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered. | In comparison, IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. This behavior of fragmentation defeats some IPS and firewall filters who typically check the FLAGS in the header of the first packet since dropping this packet prevents the following fragments from being processed and assembled. Another variation is overlapping fragments thus that an innocuous first segment passes the filter and the second segment overwrites the TCP header data with the true payload which is malicious in nature. The malicious payload manipulated properly may lead to a DoS due to resource consumption or kernel crash. Additionally the fragmentation could be used in conjunction with sending fragments at a rate slightly slower than the timeout to cause a DoS condition by forcing resources that assemble the packet to wait an inordinate amount of time to complete the task. The fragmentation identification numbers could also be duplicated very easily as there are only 16 bits in IPv4 so only 65536 packets are needed. | 2014-06-23 02:00:00 |
Capec: CAPEC-494
Cwe: CWE-770 Cwe: CWE-404 Reference_from_capec: REF-423 |
2022-02-22 01:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| UDP Fragmentation | Standard | An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets. | 2014-06-23 02:00:00 |
Capec: CAPEC-495
Cwe: CWE-770 Cwe: CWE-404 Reference_from_capec: REF-424 |
2019-04-04 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| ICMP Fragmentation | Standard | An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang. | 2014-06-23 02:00:00 |
Capec: CAPEC-496
Cwe: CWE-770 Cwe: CWE-404 Reference_from_capec: REF-425 |
2019-04-04 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| File Discovery | Standard | An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks. | 2019-09-30 02:00:00 |
Capec: CAPEC-497
Cwe: CWE-200 Attack: T1083 |
2020-12-17 01:00:00 | 2.1 |
Confidentiality:
|
Software |
None | High |
|
Draft | Very Low | 3.9 | |||||||||||||||||||||||||||||||
| Android Intent Intercept | Standard | An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along. | 2014-06-23 02:00:00 |
Capec: CAPEC-499
Cwe: CWE-925 Reference_from_capec: REF-427 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Software |
Explore
Experiment
Exploit
|
None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| Intent Spoof | Standard | An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact. | 2014-06-23 02:00:00 |
Capec: CAPEC-502
Cwe: CWE-284 Reference_from_capec: REF-427 |
2021-06-24 02:00:00 | 2.1 |
Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| WebView Exposure | Standard | An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface. | 2014-06-23 02:00:00 |
Capec: CAPEC-503
Cwe: CWE-284 Reference_from_capec: REF-430 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Task Impersonation | Standard | An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges. | When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred. A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges. | 2014-06-23 02:00:00 |
Capec: CAPEC-504
Cwe: CWE-1021 Attack: T1036.004 Reference_from_capec: REF-434 |
2022-09-29 02:00:00 | 2.1 |
Access Control:
|
Software |
|
Explore
Exploit
|
Medium |
|
|
Low: Once an adversary has gained access to the target system, impersonating a task is trivial. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Tapjacking | Standard | An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with. | 2014-06-23 02:00:00 |
Capec: CAPEC-506
Cwe: CWE-1021 Reference_from_capec: REF-436 Reference_from_capec: REF-437 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | Low |
|
Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||
| SaaS User Request Forgery | Standard | An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, "piggy-backing" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level. | 2014-06-23 02:00:00 |
Capec: CAPEC-510
Cwe: CWE-346 Reference_from_capec: REF-438 |
2014-06-23 02:00:00 | 2.1 |
Software |
None | High |
|
Medium: This attack pattern often requires the technical ability to modify a malicious software package (e.g. Zeus) to spider a targeted site and a way to trick a user into a malicious software download. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Malicious Hardware Component Replacement | Standard | An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed. | 2014-06-23 02:00:00 |
Capec: CAPEC-522
Attack: T1195.003 Reference_from_capec: REF-439 Reference_from_capec: REF-712 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain Hardware |
|
Explore
Experiment
Exploit
|
Low |
|
High: Hardware creation and manufacture of replacement components. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Malicious Software Implanted | Standard | An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed. | 2014-06-23 02:00:00 |
Capec: CAPEC-523
Attack: T1195.002 Reference_from_capec: REF-439 Reference_from_capec: REF-716 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain |
|
Explore
Experiment
Exploit
|
Low |
|
High: Malicious software creation. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Rogue Integration Procedures | Standard | An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed. | 2014-06-23 02:00:00 |
Capec: CAPEC-524
Reference_from_capec: REF-439 Reference_from_capec: REF-716 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain |
|
None | Low |
|
High: Hardware creation and manufacture of replacement components. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| XML Flood | Standard | An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing. | XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends. | 2014-06-23 02:00:00 |
Capec: CAPEC-528
Cwe: CWE-770 Attack: T1499.002 Attack: T1498.001 |
2022-02-22 01:00:00 | 2.1 |
|
Availability:
|
Software |
|
Explore
Experiment
Exploit
|
Low |
|
Low: Denial of service | Draft | Medium | 3.9 | |||||||||||||||||||||||||||
| Malware-Directed Internal Reconnaissance | Standard | Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network. | 2014-06-23 02:00:00 |
Capec: CAPEC-529
|
2020-07-30 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | Medium |
|
|
Medium: The adversary must be able to obtain or develop, as well as place malicious software inside the target network/system. | Stable | Medium | 3.9 | |||||||||||||||||||||||||||||
| Malicious Hardware Update | Standard | An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact. | 2014-06-23 02:00:00 |
Capec: CAPEC-534
Reference_from_capec: REF-439 Reference_from_capec: REF-711 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain Physical Security Hardware |
|
None | Low | High: Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts. | Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| Data Injected During Configuration | Standard | An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary. | 2014-06-23 02:00:00 |
Capec: CAPEC-536
Cwe: CWE-284 Reference_from_capec: REF-439 |
2021-10-21 02:00:00 | 2.1 |
Supply Chain Software |
|
Explore
Experiment
Exploit
|
Low |
|
High: Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system. | Stable | High | 3.9 | ||||||||||||||||||||||||||||||
| Overread Buffers | Standard | An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution. | 2014-06-23 02:00:00 |
Capec: CAPEC-540
Cwe: CWE-125 |
2021-10-21 02:00:00 | 2.1 |
Availability:
|
Software |
Explore
Experiment
Exploit
|
Low |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Application Fingerprinting | Standard | An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target. | 2014-06-23 02:00:00 |
Capec: CAPEC-541
Cwe: CWE-204 Cwe: CWE-205 Cwe: CWE-208 Attack: T1592.002 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None |
|
Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||
| Targeted Malware | Standard | An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts. | 2014-06-23 02:00:00 |
Capec: CAPEC-542
Attack: T1587.001 Attack: T1027 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Pull Data from System Resources | Standard | An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location. | 2014-06-23 02:00:00 |
Capec: CAPEC-545
Cwe: CWE-1239 Cwe: CWE-1243 Cwe: CWE-1258 Cwe: CWE-1266 Cwe: CWE-1272 Cwe: CWE-1278 Cwe: CWE-1323 Cwe: CWE-1258 Cwe: CWE-1330 Attack: T1005 Attack: T1555.001 |
2023-01-24 01:00:00 | 2.1 |
Software Hardware |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Physical Destruction of Device or Component | Standard | An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended. | 2014-06-23 02:00:00 |
Capec: CAPEC-547
|
2019-09-30 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Remote Services with Stolen Credentials | Standard | This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed. | 2015-11-09 01:00:00 |
Capec: CAPEC-555
Cwe: CWE-522 Cwe: CWE-308 Cwe: CWE-309 Cwe: CWE-294 Cwe: CWE-263 Cwe: CWE-262 Cwe: CWE-521 Attack: T1021 Attack: T1114.002 Attack: T1133 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
None | None | Stable | Very High | 3.9 | ||||||||||||||||||||||||||||||||
| DEPRECATED: Obtain Data via Utilities | Standard | This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack. | 2015-11-09 01:00:00 |
Capec: CAPEC-567
|
2020-07-30 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Collect Data as Provided by Users | Standard | An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions. | 2015-11-09 01:00:00 |
Capec: CAPEC-569
Attack: T1056 |
2021-06-24 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Block Logging to Central Repository | Standard | An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise. | In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server. In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository. | 2015-11-09 01:00:00 |
Capec: CAPEC-571
Attack: T1562.002 Attack: T1562.002 Attack: T1562.006 Attack: T1562.008 |
2022-09-29 02:00:00 | 2.1 |
Communications Software |
None | None | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||
| Artificially Inflate File Sizes | Standard | An adversary modifies file contents by adding data to files for several reasons. Many different attacks could “follow” this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity. | 2015-11-09 01:00:00 |
Capec: CAPEC-572
Attack: T1027.001 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
None | High | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Process Footprinting | Standard | An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user. By knowing what processes are running on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. | 2015-11-09 01:00:00 |
Capec: CAPEC-573
Cwe: CWE-200 Attack: T1057 |
2020-07-30 02:00:00 | 2.1 |
Authorization:
|
Software |
|
None | Low |
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Services Footprinting | Standard | An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what services are registered on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. Depending on the operating system, commands that can obtain services information include "sc" and "tasklist/svc" using Tasklist, and "net start" using Net. | 2015-11-09 01:00:00 |
Capec: CAPEC-574
Cwe: CWE-200 Attack: T1007 |
2020-07-30 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Low |
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||||
| Account Footprinting | Standard | An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an authorized user. By knowing what accounts are registered on the target system, the adversary can inform further and more targeted malicious behavior. Example Windows commands which can acquire this information are: "net user" and "dsquery". | 2015-11-09 01:00:00 |
Capec: CAPEC-575
Cwe: CWE-200 Attack: T1087 |
2020-07-30 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Low |
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||||
| Group Permission Footprinting | Standard | An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is "net localgroup". | 2015-11-09 01:00:00 |
Capec: CAPEC-576
Cwe: CWE-200 Attack: T1069 Attack: T1615 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Low |
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||||
| Owner Footprinting | Standard | An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do this, for example, by reviewing logins or file modification times. By knowing what owners use the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command that may accomplish this is "dir /A ntuser.dat". Which will display the last modified time of a user's ntuser.dat file when run within the root folder of a user. This time is synonymous with the last time that user was logged in. | 2015-11-09 01:00:00 |
Capec: CAPEC-577
Cwe: CWE-200 Attack: T1033 |
2019-09-30 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Low |
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Disable Security Software | Standard | An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods. | 2015-11-09 01:00:00 |
Capec: CAPEC-578
Cwe: CWE-284 Attack: T1556.006 Attack: T1562.001 Attack: T1562.002 Attack: T1562.004 Attack: T1562.007 Attack: T1562.008 Attack: T1562.009 |
2023-01-24 01:00:00 | 2.1 |
Availability:
|
Software |
None | Medium |
|
|
Usable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| System Footprinting | Standard | An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations. | 2015-11-09 01:00:00 |
Capec: CAPEC-580
Cwe: CWE-204 Cwe: CWE-205 Cwe: CWE-208 Attack: T1082 |
2023-01-24 01:00:00 | 2.1 |
Confidentiality:
|
Software |
None | Low |
|
Low: The adversary needs to know basic linux commands. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Route Disabling | Standard | An adversary disables the network route between two targets. The goal is to completely sever the communications channel between two entities. This is often the result of a major error or the use of an "Internet kill switch" by those in control of critical infrastructure. This attack pattern differs from most other obstruction patterns by targeting the route itself, as opposed to the data passed over the route. | 2017-02-14 01:00:00 |
Capec: CAPEC-582
|
2019-09-30 02:00:00 | 2.1 |
Availability:
|
Social Engineering Communications Software Hardware |
None | Low |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Session Hijacking | Standard | This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application. | 2017-04-15 02:00:00 |
Capec: CAPEC-593
Cwe: CWE-287 Attack: T1185 Attack: T1550.001 Attack: T1563 Owasp Attacks: Session hijacking attack Reference_from_capec: REF-603 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
Explore
Experiment
Exploit
|
High |
|
|
Low: Exploiting a poorly protected identity token is a well understood attack with many helpful resources available. | Stable | Very High | 3.9 | |||||||||||||||||||||||||||||
| Connection Reset | Standard | In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them. | 2017-01-04 01:00:00 |
Capec: CAPEC-595
Cwe: CWE-940 |
2019-04-04 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Credential Stuffing | Standard | An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services. | Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform. Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account. Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered. | 2020-07-30 02:00:00 |
Capec: CAPEC-600
Cwe: CWE-522 Cwe: CWE-307 Cwe: CWE-308 Cwe: CWE-309 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-654 Attack: T1110.004 Owasp Attacks: Credential stuffing Reference_from_capec: REF-567 Reference_from_capec: REF-568 Reference_from_capec: REF-569 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: A Credential Stuffing attack is very straightforward. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Jamming | Standard | An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate traffic, service is denied to the legitimate traffic of authorized users. | 2015-11-09 01:00:00 |
Capec: CAPEC-601
|
2019-09-30 02:00:00 | 2.1 |
Availability:
|
Communications |
None | Medium | Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Blockage | Standard | An adversary blocks the delivery of an important system resource causing the system to fail or stop working. | 2015-11-09 01:00:00 |
Capec: CAPEC-603
|
2019-09-30 02:00:00 | 2.1 |
Availability:
|
Communications Software |
None | Medium |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Cellular Data Injection | Standard | Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations. | 2015-11-09 01:00:00 |
Capec: CAPEC-610
|
2019-09-30 02:00:00 | 2.1 |
Availability:
|
Communications Software |
None | None |
|
High: Often achieved by nation states in conjunction with commercial cellular providers to conduct cellular traffic intercept and possible traffic injection. | Stable | High | 3.9 | ||||||||||||||||||||||||||||||
| Establish Rogue Location | Standard | An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource. | 2015-11-09 01:00:00 |
Capec: CAPEC-616
Cwe: CWE-200 Attack: T1036.005 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Supply Chain Communications Software Hardware |
None | Medium |
|
Low: Adversaries can often purchase low-cost technology to implement rogue access points. | Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Drop Encryption Level | Standard | An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data. | 2015-11-09 01:00:00 |
Capec: CAPEC-620
Cwe: CWE-757 Attack: T1600 |
2022-09-29 02:00:00 | 2.1 |
Access Control:
|
Software |
None | None | Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Mobile Device Fault Injection | Standard | Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised. | 2015-11-09 01:00:00 |
Capec: CAPEC-625
Cwe: CWE-1247 Cwe: CWE-1248 Cwe: CWE-1256 Cwe: CWE-1319 Cwe: CWE-1332 Cwe: CWE-1334 Cwe: CWE-1338 Cwe: CWE-1351 |
2023-01-24 01:00:00 | 2.1 |
Access Control:
|
Communications Hardware |
None | None | High: Adversaries require non-trivial technical skills to create and implement fault injection attacks on mobile devices. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required. This prerequisite makes the attack challenging to perform (assuming that physical security countermeasures and monitoring are in place). | Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| Counterfeit GPS Signals | Standard | An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary. | 2015-11-09 01:00:00 |
Capec: CAPEC-627
|
2019-04-04 02:00:00 | 2.1 |
Integrity:
|
Communications Hardware |
None | Low |
|
|
High: The ability to spoof GPS signals is not trival. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| DEPRECATED: Unauthorized Use of Device Resources | Standard | This attack pattern has been deprecated. | 2015-11-09 01:00:00 |
Capec: CAPEC-629
|
2022-09-29 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Alternative Execution Due to Deceptive Filenames | Standard | The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information. | 2018-05-31 02:00:00 |
Capec: CAPEC-635
Cwe: CWE-162 Attack: T1036.007 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Hiding Malicious Data or Code within Files | Standard | Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover. | 2018-05-31 02:00:00 |
Capec: CAPEC-636
Cwe: CWE-506 Attack: T1001.002 Attack: T1027.003 Attack: T1027.004 Attack: T1218.001 Attack: T1221 Reference_from_capec: REF-493 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Peripheral Footprinting | Standard | Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks. | 2018-07-31 02:00:00 |
Capec: CAPEC-646
Cwe: CWE-200 Attack: T1120 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | Low |
|
Medium: If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices. | Stable | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Eavesdropping | Standard | An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), hardware (e.g., recording equipment), or physical means (e.g., physical proximity). The goal of eavesdropping is typically to gain unauthorized access to sensitive information about the target for financial, personal, political, or other gains. Eavesdropping is different from a sniffing attack as it does not take place on a network-based communication channel (e.g., IP traffic). Instead, it entails listening in on the raw audio source of a conversation between two or more parties. | 2014-06-23 02:00:00 |
Capec: CAPEC-651
Cwe: CWE-200 Attack: T1111 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications Software Physical Security |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Use of Known Kerberos Credentials | Standard | An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain. | Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application. | 2020-07-30 02:00:00 |
Capec: CAPEC-652
Cwe: CWE-522 Cwe: CWE-307 Cwe: CWE-308 Cwe: CWE-309 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-654 Cwe: CWE-294 Cwe: CWE-836 Attack: T1558 Reference_from_capec: REF-584 Reference_from_capec: REF-585 Reference_from_capec: REF-586 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: Once an adversary obtains a known Kerberos credential, leveraging it is trivial. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Use of Known Operating System Credentials | Standard | An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System. | This attack can be extremely harmful when the operating system credentials used are for a root or admin user. Once an adversary gains access using credentials with elevated privileges, they are free to alter important system files which can effect other users who may use the system or other users on the system's network. | 2020-07-30 02:00:00 |
Capec: CAPEC-653
Cwe: CWE-522 Cwe: CWE-307 Cwe: CWE-308 Cwe: CWE-309 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-654 Reference_from_capec: REF-575 Reference_from_capec: REF-576 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: Once an adversary obtains a known credential, leveraging it is trivial. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Adversary in the Browser (AiTB) | Standard | An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints. | This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack. | 2021-06-24 02:00:00 |
Capec: CAPEC-662
Cwe: CWE-300 Cwe: CWE-494 Attack: T1185 Owasp Attacks: Man-in-the-browser attack Reference_from_capec: REF-629 Reference_from_capec: REF-630 Reference_from_capec: REF-631 Reference_from_capec: REF-632 |
2022-09-29 02:00:00 | 2.1 |
|
Integrity:
|
Communications Software |
|
Experiment
Exploit
|
High |
|
Medium: Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial. | Stable | Very High | 3.9 | |||||||||||||||||||||||||||
| Exploitation of Transient Instruction Execution | Standard | An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data. | 2021-06-24 02:00:00 |
Capec: CAPEC-663
Cwe: CWE-1037 Cwe: CWE-1303 Cwe: CWE-1264 Reference_from_capec: REF-637 Reference_from_capec: REF-638 Reference_from_capec: REF-639 Reference_from_capec: REF-640 Reference_from_capec: REF-641 Reference_from_capec: REF-642 Reference_from_capec: REF-643 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software Hardware Software |
|
Explore
Experiment
Exploit
|
Low |
|
|
High: Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage. | Stable | Very High | 3.9 | ||||||||||||||||||||||||||||
| Server Side Request Forgery | Standard | An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf. | 2021-06-24 02:00:00 |
Capec: CAPEC-664
Cwe: CWE-918 Cwe: CWE-20 Reference_from_capec: REF-644 Reference_from_capec: REF-645 Reference_from_capec: REF-646 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
High: The adversary will be required to access internal resources, extract information, or leverage the services running on the server to perform unauthorized actions such as traversing the local network or routing a reflected TCP DDoS through them. Medium: The adversary will have to detect the vulnerability through an intermediary service or specify maliciously crafted URLs and analyze the server response. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| BlueSmacking | Standard | An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device. | 2021-06-24 02:00:00 |
Capec: CAPEC-666
Cwe: CWE-404 Attack: T1498.001 Attack: T1499.001 Reference_from_capec: REF-655 |
2022-09-29 02:00:00 | 2.1 |
Availability:
|
Communications Software |
Explore
Experiment
Exploit
|
Medium |
|
Low: An adversary only needs a Linux machine along with a Bluetooth adapter, which is extremely common. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Key Negotiation of Bluetooth Attack (KNOB) | Standard | An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication. | 2021-06-24 02:00:00 |
Capec: CAPEC-668
Cwe: CWE-425 Cwe: CWE-285 Cwe: CWE-693 Attack: T1565.002 Reference_from_capec: REF-657 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Low |
|
|
Medium: Ability to modify packets. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Alteration of a Software Update | Standard | An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality. | 2021-06-24 02:00:00 |
Capec: CAPEC-669
Attack: T1195.002 Reference_from_capec: REF-658 Reference_from_capec: REF-659 Reference_from_capec: REF-660 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Supply Chain Software |
|
Explore
Experiment
Exploit
|
Medium |
|
High: Skills required include the ability to infiltrate the organization’s software update infrastructure either from the Internet or from within the organization, including subcontractors, and be able to change software being delivered to customer/user systems in an undetected manner. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Retrieve Data from Decommissioned Devices | Standard | An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system. | 2021-06-24 02:00:00 |
Capec: CAPEC-675
Cwe: CWE-1266 Attack: T1052 Reference_from_capec: REF-663 Reference_from_capec: REF-717 |
2023-01-24 01:00:00 | 2.1 |
Accountability:
|
Supply Chain Software Physical Security Hardware |
|
None | Medium |
|
High: An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation. Medium: An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content. | Stable | Medium | 3.9 | |||||||||||||||||||||||||||||
| NoSQL Injection | Standard | An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code. | NoSQL database calls are written in an application's programming language, via a custom API call, or formatted in a common convention (e.g., JSON, XML, etc.), any of which the adversary can exploit to achieve the aforementioned goals. NoSQL attacks usually result from improper sanitization and validation of data that originates from a user, either via special character or JavaScript injection. In both cases, the adversary crafts input strings so that when the target software constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions other than those intended by the application. However, unlike traditional SQL Injection attacks, NoSQL injection attacks can also occur in instances where the application does not rely upon user input, as is the case in operator replacements. This entails the adversary overriding reserved NoSQL variable names with ones that have been modified with malicious functionality (e.g., $where in MongoDB). In all cases, depending on the NoSQL API and data model used, successful injection can cause information disclosure, data modification, and code execution at the application level. Note: NoSQL Injection attacks are executed within a procedural language (e.g., C, C++, Perl), as opposed to the declarative SQL language itself. As a result, NoSQL injection attacks can potentially result in greater impacts than traditional SQL Injection attacks [REF-668]. | 2021-10-21 02:00:00 |
Capec: CAPEC-676
Cwe: CWE-943 Cwe: CWE-1286 Reference_from_capec: REF-668 Reference_from_capec: REF-669 Reference_from_capec: REF-670 Reference_from_capec: REF-671 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: For keyword and JavaScript injection attacks, it is fairly simple for someone with basic NoSQL knowledge to perform NoSQL injection, once the target's technology stack has been determined. Medium: For operator replacement attacks, the adversary must also have knowledge of HTTP Parameter Pollution attacks and how to conduct them. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities | Standard | An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software. | When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet. | 2022-09-29 02:00:00 |
Capec: CAPEC-682
Cwe: CWE-1277 Cwe: CWE-1310 Reference_from_capec: REF-723 Reference_from_capec: REF-724 Reference_from_capec: REF-725 Reference_from_capec: REF-726 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
Medium |
|
High: Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely Medium: Knowledge of various wireless protocols to enable remote access to vulnerable devices | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Spoof Open-Source Software Metadata | Standard | An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted. | Due to open-source software's popularity, it serves as a desirable attack- vector for adversaries since a single malicious component may result in the exploitation of numerous systems/applications. Adversaries may, therefore, spoof the metadata pertaining to the open-source software in order to trick victims into downloading and using their malicious software. Examples of metadata that may be spoofed include: Owner of the software (e.g., repository or package owner) Author(s) of repository commits Frequency of repository commits Date/Time of repository commits Package or Repository "stars" Once the malicious software component has been integrated into an underlying application or executed on a system, the adversary is ultimately able to achieve numerous negative technical impacts within the system/application. This often occurs without any indication of compromise. | 2022-09-29 02:00:00 |
Capec: CAPEC-691
Cwe: CWE-494 Attack: T1195.001 Attack: T1195.002 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Supply Chain Software |
|
None | Medium |
|
Medium: Ability to spoof a variety of software metadata to convince victims the source is trusted. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| System Location Discovery | Standard | An adversary collects information about the target system in an attempt to identify the system's geographical location. Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks. | 2022-09-29 02:00:00 |
Capec: CAPEC-694
Cwe: CWE-497 Attack: T1614 Reference_from_capec: REF-727 Reference_from_capec: REF-728 Reference_from_capec: REF-729 Reference_from_capec: REF-730 Reference_from_capec: REF-731 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications Software |
Explore
|
High |
|
|
Low: The adversary must know how to query various system sources of information respective of the system's operating system to obtain the relevant information. | Stable | Very Low | 3.9 | |||||||||||||||||||||||||||||
| DHCP Spoofing | Standard | An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP. | DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing. An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations. To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool. | 2022-09-29 02:00:00 |
Capec: CAPEC-697
Cwe: CWE-923 Attack: T1557.003 Reference_from_capec: REF-737 Reference_from_capec: REF-738 Reference_from_capec: REF-739 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Software Hardware |
|
Explore
Experiment
Exploit
|
Low |
|
|
Medium: The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Network Boundary Bridging | Standard | An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network’s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into. | Network boundary devices are network devices such as routers and firewalls which segment networks by restricting certain types of traffic from flowing through the device. Network boundary devices are often directly accessible through a portal page for management purposes. An adversary’s goal when conducting network boundary bridging is to connect networks which are being segmented by the device. To do so, the adversary must first compromise the network boundary device. | 2023-01-24 01:00:00 |
Capec: CAPEC-700
Attack: T1599 Reference_from_capec: REF-746 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Communications Software Hardware |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: The adversary must understand how to manage the target network device to create or edit policies which will bridge networks. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Browser in the Middle (BiTM) | Standard | An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access. | Unlike Adversary in the Browser, the victim does not need to install a malicious application. Browser in the Middle uses the inherent functionalities of a web browser to convince the victim they are browsing normally under the assumption that the connection is secure. All the actions performed by the victim in the open window are actually performed on the machine of the adversary. These victim-authenticated sessions are available to the adversary to use. All entered data such as passwords and usernames can be logged by the adversary and the content displayed to the victim can be altered arbitrarily. Varieties of multifactor authentication which rely solely on user input and do not use a form of hardware-based secret exchange are vulnerable to browser in the middle. | 2023-01-24 01:00:00 |
Capec: CAPEC-701
Cwe: CWE-294 Cwe: CWE-345 Reference_from_capec: REF-747 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Communications Software |
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Using Leading 'Ghost' Character Sequences to Bypass Input Filters | Detailed | Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API. | 2014-06-23 02:00:00 |
Capec: CAPEC-3
Cwe: CWE-173 Cwe: CWE-41 Cwe: CWE-172 Cwe: CWE-179 Cwe: CWE-180 Cwe: CWE-181 Cwe: CWE-183 Cwe: CWE-184 Cwe: CWE-20 Cwe: CWE-74 Cwe: CWE-697 Cwe: CWE-707 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Medium: The ability to make an API request, and knowledge of "ghost" characters that will not be filtered by any input validation. These "ghost" characters must be known to not affect the way in which the request will be interpreted. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Using Alternative IP Address Encodings | Detailed | This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control. | 2014-06-23 02:00:00 |
Capec: CAPEC-4
Cwe: CWE-291 Cwe: CWE-173 Reference_from_capec: REF-1 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: The adversary has only to try IP address format combinations. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Blue Boxing | Detailed | This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions. This attack pattern is included in CAPEC for historical purposes. | 2014-06-23 02:00:00 |
Capec: CAPEC-5
Cwe: CWE-285 Reference_from_capec: REF-1 |
2023-01-24 01:00:00 | 2.1 |
Availability:
|
Communications Software |
|
None | Medium |
|
|
Low: Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades. | Obsolete | Very High | 3.9 | ||||||||||||||||||||||||||||
| Blind SQL Injection | Detailed | Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection. | 2014-06-23 02:00:00 |
Capec: CAPEC-7
Cwe: CWE-89 Cwe: CWE-209 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-707 Owasp Attacks: Blind SQL Injection |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Buffer Overflow in an API Call | Detailed | This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process. | 2014-06-23 02:00:00 |
Capec: CAPEC-8
Cwe: CWE-120 Cwe: CWE-119 Cwe: CWE-118 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-733 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS. High: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Buffer Overflow in Local Command-Line Utilities | Detailed | This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utility to escalate privilege to root. | 2014-06-23 02:00:00 |
Capec: CAPEC-9
Cwe: CWE-120 Cwe: CWE-118 Cwe: CWE-119 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-733 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS. High: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Buffer Overflow via Environment Variables | Detailed | This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. | Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer. | 2014-06-23 02:00:00 |
Capec: CAPEC-10
Cwe: CWE-120 Cwe: CWE-302 Cwe: CWE-118 Cwe: CWE-119 Cwe: CWE-74 Cwe: CWE-99 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-733 Cwe: CWE-697 Owasp Attacks: Buffer Overflow via Environment Variables Reference_from_capec: REF-1 Reference_from_capec: REF-2 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Cause Web Server Misclassification | Detailed | An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. | This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents. | 2014-06-23 02:00:00 |
Capec: CAPEC-11
Cwe: CWE-430 Attack: T1036.006 Reference_from_capec: REF-1 Reference_from_capec: REF-6 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: To modify file name or file extension Medium: To use misclassification to force the Web server to disclose configuration information, source, or binary data | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Subverting Environment Variable Values | Detailed | The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary. | 2014-06-23 02:00:00 |
Capec: CAPEC-13
Cwe: CWE-353 Cwe: CWE-285 Cwe: CWE-302 Cwe: CWE-74 Cwe: CWE-15 Cwe: CWE-73 Cwe: CWE-20 Cwe: CWE-200 Attack: T1562.003 Attack: T1574.006 Attack: T1574.007 Reference_from_capec: REF-1 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism. High: Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it. | Stable | Very High | 3.9 | |||||||||||||||||||||||||||||
| Client-side Injection-induced Buffer Overflow | Detailed | This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads. | 2014-06-23 02:00:00 |
Capec: CAPEC-14
Cwe: CWE-120 Cwe: CWE-353 Cwe: CWE-118 Cwe: CWE-119 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Low: To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. High: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Dictionary-based Password Attack | Detailed | An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts. | 2014-06-23 02:00:00 |
Capec: CAPEC-16
Cwe: CWE-521 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-654 Cwe: CWE-307 Cwe: CWE-308 Cwe: CWE-309 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
Medium |
|
|
Low: A variety of password cracking tools and dictionaries are available to launch this type of an attack. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| XSS Targeting Non-Script Elements | Detailed | This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-18
Cwe: CWE-80 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Software Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To achieve a redirection and use of less trusted source, an adversary can simply edit content such as XML payload or HTML files that are sent to client machine. High: Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Filter Failure through Buffer Overflow | Detailed | In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered). | 2014-06-23 02:00:00 |
Capec: CAPEC-24
Cwe: CWE-120 Cwe: CWE-119 Cwe: CWE-118 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-733 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Leveraging Race Conditions via Symbolic Links | Detailed | This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file. | 2014-06-23 02:00:00 |
Capec: CAPEC-27
Cwe: CWE-367 Cwe: CWE-61 Cwe: CWE-662 Cwe: CWE-689 Cwe: CWE-667 Reference_from_capec: REF-115 Reference_from_capec: REF-116 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Medium: This attack is sophisticated because the attacker has to overcome a few challenges such as creating symlinks on the target host during a precise timing, inserting malicious data in the temporary file and have knowledge about the temporary files created (file name and function which creates them). | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Accessing/Intercepting/Modifying HTTP Cookies | Detailed | This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information. | 2014-06-23 02:00:00 |
Capec: CAPEC-31
Cwe: CWE-565 Cwe: CWE-302 Cwe: CWE-311 Cwe: CWE-113 Cwe: CWE-539 Cwe: CWE-20 Cwe: CWE-315 Cwe: CWE-384 Cwe: CWE-472 Cwe: CWE-602 Cwe: CWE-642 Attack: T1539 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
|
High |
|
|
Low: To overwrite session cookie data, and submit targeted attacks via HTTP High: Exploiting a remote buffer overflow generated by attack | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| XSS Through HTTP Query Strings | Detailed | An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser. | 2014-06-23 02:00:00 |
Capec: CAPEC-32
Cwe: CWE-80 Reference_from_capec: REF-1 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software Software Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To place malicious payload on server via HTTP High: Exploiting any information gathered by HTTP Query on script host | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| HTTP Request Smuggling | Detailed | An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request- line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences. | A maliciously crafted HTTP request, which contains a second secretly embedded HTTP request is interpreted by an intermediary web proxy as single benign HTTP request, is forwarded to a back-end server, that interprets and parses the HTTP request as two authorized benign HTTP requests bypassing security controls. This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 4.4.3 and section 4.2 and are related to ordering and precedence of these headers. [REF-38] Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages. This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents. This differs from CAPEC-273 HTTP Response Smuggling, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Smuggling is an attempt to compromise aback-end HTTP agentvia HTTP Request messages. HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest. | 2014-06-23 02:00:00 |
Capec: CAPEC-33
Cwe: CWE-444 Wasc: 26 Reference_from_capec: REF-38 Reference_from_capec: REF-117 Reference_from_capec: REF-617 Reference_from_capec: REF-672 Reference_from_capec: REF-673 Reference_from_capec: REF-674 Reference_from_capec: REF-678 Reference_from_capec: REF-681 Reference_from_capec: REF-682 Reference_from_capec: REF-683 Reference_from_capec: REF-684 |
2022-09-29 02:00:00 | 2.1 |
|
Integrity:
|
Communications Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers. | Stable | High | 3.9 | ||||||||||||||||||||||||||
| HTTP Response Splitting | Detailed | An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site. See CanPrecede relationships for possible consequences. | Malicious user input is injected into various standard and/or user defined HTTP headers within a HTTP Response through use of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters, and unique character encoding. A single HTTP response ends up being split as two or more HTTP responses by the targeted client HTTP agent parsing the original maliciously manipulated HTTP response. This allows malicious HTTP responses to bypass security controls in order to implement malicious actions and provide malicious content that allows access to sensitive data and to compromise applications and users. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses. This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path. This differs from CAPEC-105 HTTP Request Splitting, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Splitting is an attempt to compromise aclient agent (e.g., web browser)by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques. | 2014-06-23 02:00:00 |
Capec: CAPEC-34
Cwe: CWE-74 Cwe: CWE-113 Cwe: CWE-138 Cwe: CWE-436 Wasc: 25 Reference_from_capec: REF-1 Reference_from_capec: REF-117 Reference_from_capec: REF-617 Reference_from_capec: REF-680 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Communications Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Leverage Executable Code in Non-Executable Files | Detailed | An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. | 2014-06-23 02:00:00 |
Capec: CAPEC-35
Cwe: CWE-94 Cwe: CWE-96 Cwe: CWE-95 Cwe: CWE-97 Cwe: CWE-272 Cwe: CWE-59 Cwe: CWE-282 Cwe: CWE-270 Attack: T1027.006 Attack: T1027.009 Attack: T1564.009 Reference_from_capec: REF-1 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Software |
|
None | High |
|
|
Low: To identify and execute against an over-privileged system interface | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Retrieve Embedded Sensitive Data | Detailed | An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-37
Cwe: CWE-226 Cwe: CWE-311 Cwe: CWE-525 Cwe: CWE-312 Cwe: CWE-314 Cwe: CWE-315 Cwe: CWE-318 Cwe: CWE-1239 Cwe: CWE-1258 Cwe: CWE-1266 Cwe: CWE-1272 Cwe: CWE-1278 Cwe: CWE-1301 Cwe: CWE-1330 Attack: T1005 Attack: T1552.004 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Physical Security Hardware |
|
Explore
Exploit
|
High |
|
|
Medium: The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Leveraging/Manipulating Configuration File Search Paths | Detailed | This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. | 2014-06-23 02:00:00 |
Capec: CAPEC-38
Cwe: CWE-426 Cwe: CWE-427 Attack: T1574.007 Attack: T1574.009 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
None | High |
|
Low: To identify and execute against an over-privileged system interface | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||
| Using Meta-characters in E-mail Headers to Inject Malicious Payloads | Detailed | This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system. | 2014-06-23 02:00:00 |
Capec: CAPEC-41
Cwe: CWE-150 Cwe: CWE-88 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Software |
|
Experiment
Exploit
|
High |
|
Low: To distribute email | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| MIME Conversion | Detailed | An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back. | 2014-06-23 02:00:00 |
Capec: CAPEC-42
Cwe: CWE-120 Cwe: CWE-119 Cwe: CWE-74 Cwe: CWE-20 Reference_from_capec: REF-1 Reference_from_capec: REF-364 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: It may be trivial to cause a DoS via this attack pattern High: Causing arbitrary code to execute on the target system. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Exploiting Multiple Input Interpretation Layers | Detailed | An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: \--> \--> . In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop. | 2014-06-23 02:00:00 |
Capec: CAPEC-43
Cwe: CWE-179 Cwe: CWE-181 Cwe: CWE-184 Cwe: CWE-183 Cwe: CWE-77 Cwe: CWE-78 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-707 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Medium: Knowledge of various escaping schemes, such as URL escape encoding and XML escape characters. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Overflow Binary Resource File | Detailed | An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the adversary access to the execution stack and execute arbitrary code in the target process. | This attack pattern is a variant of standard buffer overflow attack using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The adversary is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application for the victim to download. The adversary then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow. | 2014-06-23 02:00:00 |
Capec: CAPEC-44
Cwe: CWE-120 Cwe: CWE-119 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Buffer Overflow via Symbolic Links | Detailed | This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking. | 2014-06-23 02:00:00 |
Capec: CAPEC-45
Cwe: CWE-120 Cwe: CWE-285 Cwe: CWE-302 Cwe: CWE-118 Cwe: CWE-119 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS. High: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Overflow Variables and Tags | Detailed | This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The adversary crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow. | 2014-06-23 02:00:00 |
Capec: CAPEC-46
Cwe: CWE-120 Cwe: CWE-118 Cwe: CWE-119 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-733 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS. High: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Buffer Overflow via Parameter Expansion | Detailed | In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow. | 2014-06-23 02:00:00 |
Capec: CAPEC-47
Cwe: CWE-120 Cwe: CWE-119 Cwe: CWE-118 Cwe: CWE-130 Cwe: CWE-131 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-697 Reference_from_capec: REF-1 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
High: Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the adversary needs to write the shell code to accomplish their goals, but the adversary also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled adversary. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Poison Web Service Registry | Detailed | SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces. | WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. | 2014-06-23 02:00:00 |
Capec: CAPEC-51
Cwe: CWE-285 Cwe: CWE-74 Cwe: CWE-693 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To identify and execute against an over-privileged system interface | Draft | Very High | 3.9 | |||||||||||||||||||||||||||
| Embedding NULL Bytes | Detailed | An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s). | 2014-06-23 02:00:00 |
Capec: CAPEC-52
Cwe: CWE-158 Cwe: CWE-172 Cwe: CWE-173 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-707 Wasc: 28 Owasp Attacks: Embedding Null Code Reference_from_capec: REF-1 Reference_from_capec: REF-445 Reference_from_capec: REF-446 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
High: Execution of arbitrary code Medium: Directory traversal | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Postfix, Null Terminate, and Backslash | Detailed | If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used. | 2014-06-23 02:00:00 |
Capec: CAPEC-53
Cwe: CWE-158 Cwe: CWE-172 Cwe: CWE-173 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-707 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: An adversary needs to understand alternate encodings, what the filter looks for and the data format acceptable to the target API | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Rainbow Table Password Cracking | Detailed | An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system. | A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt. | 2014-06-23 02:00:00 |
Capec: CAPEC-55
Cwe: CWE-261 Cwe: CWE-521 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-654 Cwe: CWE-916 Cwe: CWE-308 Cwe: CWE-309 Attack: T1110.002 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Exploit
|
Medium |
|
|
Low: A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||
| Utilizing REST's Trust in the System Resource to Obtain Sensitive Data | Detailed | This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated. | Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The adversary can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the adversary gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme. | 2014-06-23 02:00:00 |
Capec: CAPEC-57
Cwe: CWE-300 Cwe: CWE-287 Cwe: CWE-693 Attack: T1040 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Communications Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Low: To insert a network sniffer or other listener into the communication stream | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Restful Privilege Elevation | Detailed | An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages. | Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server. | 2014-06-23 02:00:00 |
Capec: CAPEC-58
Cwe: CWE-267 Cwe: CWE-269 Reference_from_capec: REF-463 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Hardware Software |
|
None | High |
|
Low: It is relatively straightforward to identify an HTTP Get method that changes state on the server side and executes against an over-privileged system interface | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Session Credential Falsification through Prediction | Detailed | This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking. | 2014-06-23 02:00:00 |
Capec: CAPEC-59
Cwe: CWE-290 Cwe: CWE-330 Cwe: CWE-331 Cwe: CWE-346 Cwe: CWE-488 Cwe: CWE-539 Cwe: CWE-200 Cwe: CWE-6 Cwe: CWE-285 Cwe: CWE-384 Cwe: CWE-693 Wasc: 18 Owasp Attacks: Session Prediction Reference_from_capec: REF-1 |
2021-06-24 02:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: There are tools to brute force session ID. Those tools require a low level of knowledge. Medium: Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Reusing Session IDs (aka Session Replay) | Detailed | This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay. | 2014-06-23 02:00:00 |
Capec: CAPEC-60
Cwe: CWE-294 Cwe: CWE-290 Cwe: CWE-346 Cwe: CWE-384 Cwe: CWE-488 Cwe: CWE-539 Cwe: CWE-200 Cwe: CWE-285 Cwe: CWE-664 Cwe: CWE-732 Attack: T1134.001 Attack: T1550.004 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Exploit
|
High |
|
Low: If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID. Medium: More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Session Fixation | Detailed | The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation. | 2014-06-23 02:00:00 |
Capec: CAPEC-61
Cwe: CWE-384 Cwe: CWE-664 Cwe: CWE-732 Wasc: 37 Owasp Attacks: Session fixation Reference_from_capec: REF-1 Reference_from_capec: REF-601 |
2021-06-24 02:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Using Slashes and URL Encoding Combined to Bypass Validation Logic | Detailed | This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. | 2014-06-23 02:00:00 |
Capec: CAPEC-64
Cwe: CWE-177 Cwe: CWE-173 Cwe: CWE-172 Cwe: CWE-73 Cwe: CWE-22 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-707 Reference_from_capec: REF-1 Reference_from_capec: REF-495 Reference_from_capec: REF-496 Reference_from_capec: REF-497 Reference_from_capec: REF-498 Reference_from_capec: REF-499 Reference_from_capec: REF-500 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An attacker can try special characters in the URL and bypass the URL validation. Medium: The attacker may write a script to defeat the input filtering mechanism. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Sniff Application Code | Detailed | An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server. | 2014-06-23 02:00:00 |
Capec: CAPEC-65
Cwe: CWE-319 Cwe: CWE-311 Cwe: CWE-318 Cwe: CWE-693 Attack: T1040 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Communications Software |
|
Explore
Exploit
|
Low |
|
|
Medium: The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ an adversary-in-the-middle attack (CAPEC-94), the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| String Format Overflow in syslog() | Detailed | This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function. | 2014-06-23 02:00:00 |
Capec: CAPEC-67
Cwe: CWE-120 Cwe: CWE-134 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-680 Cwe: CWE-697 Wasc: 06 Reference_from_capec: REF-1 Reference_from_capec: REF-503 Reference_from_capec: REF-504 Reference_from_capec: REF-505 Reference_from_capec: REF-506 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Software |
|
Explore
Experiment
Exploit
|
High |
|
Draft | Very High | 3.9 | ||||||||||||||||||||||||||||||
| Try Common or Default Usernames and Passwords | Detailed | An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary. | 2014-06-23 02:00:00 |
Capec: CAPEC-70
Cwe: CWE-521 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-798 Cwe: CWE-654 Cwe: CWE-308 Cwe: CWE-309 Attack: T1078.001 Reference_from_capec: REF-572 Reference_from_capec: REF-574 Reference_from_capec: REF-596 Reference_from_capec: REF-597 |
2021-06-24 02:00:00 | 2.1 |
Authorization:
|
Software |
|
None | Medium |
|
|
Low: An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Using Unicode Encoding to Bypass Validation Logic | Detailed | An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly. | 2014-06-23 02:00:00 |
Capec: CAPEC-71
Cwe: CWE-176 Cwe: CWE-179 Cwe: CWE-180 Cwe: CWE-173 Cwe: CWE-172 Cwe: CWE-184 Cwe: CWE-183 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-692 Owasp Attacks: Unicode Encoding Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
|
Medium |
|
Medium: An attacker needs to understand Unicode encodings and have an idea (or be able to find out) what system components may not be Unicode aware. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| URL Encoding | Detailed | This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. | A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent- encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode- encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section). | 2014-06-23 02:00:00 |
Capec: CAPEC-72
Cwe: CWE-173 Cwe: CWE-177 Cwe: CWE-172 Cwe: CWE-73 Cwe: CWE-74 Cwe: CWE-20 Reference_from_capec: REF-1 Reference_from_capec: REF-495 Reference_from_capec: REF-496 Reference_from_capec: REF-497 Reference_from_capec: REF-498 Reference_from_capec: REF-499 Reference_from_capec: REF-500 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An adversary can try special characters in the URL and bypass the URL validation. Medium: The adversary may write a script to defeat the input filtering mechanism. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Manipulating Web Input to File System Calls | Detailed | An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible. | 2014-06-23 02:00:00 |
Capec: CAPEC-76
Cwe: CWE-23 Cwe: CWE-22 Cwe: CWE-73 Cwe: CWE-77 Cwe: CWE-346 Cwe: CWE-348 Cwe: CWE-285 Cwe: CWE-272 Cwe: CWE-59 Cwe: CWE-74 Cwe: CWE-15 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: To identify file system entry point and execute against an over-privileged system interface | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||
| Using Escaped Slashes in Alternate Encoding | Detailed | This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-78
Cwe: CWE-180 Cwe: CWE-181 Cwe: CWE-173 Cwe: CWE-172 Cwe: CWE-73 Cwe: CWE-22 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-707 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: The adversary can naively try backslash character and discover that the target host uses it as escape character. Medium: The adversary may need deep understanding of the host target in order to exploit the vulnerability. The adversary may also use automated tools to probe for this vulnerability. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Using Slashes in Alternate Encoding | Detailed | This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other. | 2014-06-23 02:00:00 |
Capec: CAPEC-79
Cwe: CWE-173 Cwe: CWE-180 Cwe: CWE-181 Cwe: CWE-20 Cwe: CWE-74 Cwe: CWE-73 Cwe: CWE-22 Cwe: CWE-185 Cwe: CWE-200 Cwe: CWE-697 Cwe: CWE-707 Reference_from_capec: REF-1 Reference_from_capec: REF-525 Reference_from_capec: REF-495 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An adversary can try variation of the slashes characters. Medium: An adversary can use more sophisticated tool or script to scan a website and find a path filtering problem. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Using UTF-8 Encoding to Bypass Validation Logic | Detailed | This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable- length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters. | 2014-06-23 02:00:00 |
Capec: CAPEC-80
Cwe: CWE-173 Cwe: CWE-172 Cwe: CWE-180 Cwe: CWE-181 Cwe: CWE-73 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-692 Reference_from_capec: REF-1 Reference_from_capec: REF-112 Reference_from_capec: REF-530 Reference_from_capec: REF-531 Reference_from_capec: REF-532 Reference_from_capec: REF-533 Reference_from_capec: REF-114 Reference_from_capec: REF-535 Reference_from_capec: REF-525 Reference_from_capec: REF-537 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
|
High |
|
Low: An attacker can inject different representation of a filtered character in UTF-8 format. Medium: An attacker may craft subtle encoding of input data by using the knowledge that they have gathered about the target host. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Web Server Logs Tampering | Detailed | Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application. | 2014-06-23 02:00:00 |
Capec: CAPEC-81
Cwe: CWE-117 Cwe: CWE-93 Cwe: CWE-75 Cwe: CWE-221 Cwe: CWE-96 Cwe: CWE-20 Cwe: CWE-150 Cwe: CWE-276 Cwe: CWE-279 Cwe: CWE-116 Reference_from_capec: REF-1 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: To input faked entries into Web logs | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| XPath Injection | Detailed | An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. | 2014-06-23 02:00:00 |
Capec: CAPEC-83
Cwe: CWE-91 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-707 Wasc: 39 Owasp Attacks: Blind XPath Injection Owasp Attacks: XPATH Injection Reference_from_capec: REF-611 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Exploit
|
High |
|
|
Low: XPath Injection shares the same basic premises with SQL Injection. An attacker must have knowledge of XPath syntax and constructs in order to successfully leverage XPath Injection | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| XQuery Injection | Detailed | This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources. | 2014-06-23 02:00:00 |
Capec: CAPEC-84
Cwe: CWE-74 Cwe: CWE-707 Wasc: 46 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: Basic understanding of XQuery | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||
| AJAX Footprinting | Detailed | This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS. | 2014-06-23 02:00:00 |
Capec: CAPEC-85
Cwe: CWE-79 Cwe: CWE-113 Cwe: CWE-348 Cwe: CWE-96 Cwe: CWE-20 Cwe: CWE-116 Cwe: CWE-184 Cwe: CWE-86 Cwe: CWE-692 Reference_from_capec: REF-539 |
2022-02-22 01:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
|
High |
|
|
Medium: To land and launch a script on victim's machine with appropriate footprinting logic for enumerating services and vulnerabilities in JavaScript | Draft | Low | 3.9 | ||||||||||||||||||||||||||||
| XSS Through HTTP Headers | Detailed | An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications. | 2014-06-23 02:00:00 |
Capec: CAPEC-86
Cwe: CWE-80 Reference_from_capec: REF-1 Reference_from_capec: REF-69 Reference_from_capec: REF-476 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Software Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To achieve a redirection and use of less trusted source, an adversary can simply edit HTTP Headers that are sent to client machine. High: Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| DEPRECATED: XSS in IMG Tags | Detailed | This attack pattern has been deprecated as it is contained in the existing attack pattern "CAPEC-18 : XSS Targeting Non-Script Elements". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-91
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Forced Integer Overflow | Detailed | This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code. | 2014-06-23 02:00:00 |
Capec: CAPEC-92
Cwe: CWE-190 Cwe: CWE-128 Cwe: CWE-120 Cwe: CWE-122 Cwe: CWE-196 Cwe: CWE-680 Cwe: CWE-697 Wasc: 03 Reference_from_capec: REF-131 Reference_from_capec: REF-547 Reference_from_capec: REF-548 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: An attacker can simply overflow an integer by inserting an out of range value. High: Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Log Injection-Tampering-Forging | Detailed | This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability. | 2014-06-23 02:00:00 |
Capec: CAPEC-93
Cwe: CWE-117 Cwe: CWE-75 Cwe: CWE-150 Reference_from_capec: REF-131 Reference_from_capec: REF-550 Reference_from_capec: REF-551 Reference_from_capec: REF-552 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
High |
|
Low: This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries. Medium: A more sophisticated attack can try to defeat the input validation mechanism. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| WSDL Scanning | Detailed | This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files. | 2014-06-23 02:00:00 |
Capec: CAPEC-95
Cwe: CWE-538 Reference_from_capec: REF-554 Reference_from_capec: REF-555 |
2021-10-21 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: This attack can be as simple as reading WSDL and starting sending invalid request. Medium: This attack can be used to perform more sophisticated attacks (SQL injection, etc.) | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Block Access to Libraries | Detailed | An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker. | 2014-06-23 02:00:00 |
Capec: CAPEC-96
Cwe: CWE-589 |
2021-06-24 02:00:00 | 2.1 |
Availability:
|
Software |
|
Explore
Experiment
|
Medium |
|
Low: Knowledge of how to block access to libraries, as well as knowledge of how to leverage the resulting state of the application based on the failed call. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Server Side Include (SSI) Injection | Detailed | An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands. | 2014-06-23 02:00:00 |
Capec: CAPEC-101
Cwe: CWE-97 Cwe: CWE-74 Cwe: CWE-20 Wasc: 36 Owasp Attacks: Server-Side Includes (SSI) Injection Reference_from_capec: REF-610 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Session Sidejacking | Detailed | Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token. | 2014-06-23 02:00:00 |
Capec: CAPEC-102
Cwe: CWE-294 Cwe: CWE-522 Cwe: CWE-523 Cwe: CWE-319 Cwe: CWE-614 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: Easy to use tools exist to automate this attack. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| HTTP Request Splitting | Detailed | An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences. | This entails the adversary injecting malicious user input into various standard and/or user defined HTTP headers within a HTTP Request through user input of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters and unique character encoding. This malicious user input allows for web script to be injected in HTTP headers as well as into browser cookies or Ajax web/browser object parameters like XMLHttpRequest during implementation of asynchronous requests. This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path. This differs from CAPEC-34 HTTP Response Splitting, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Splitting is an attempt to compromise aback-end HTTP agentvia HTTP Request messages. HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques. | 2014-06-23 02:00:00 |
Capec: CAPEC-105
Cwe: CWE-74 Cwe: CWE-113 Cwe: CWE-138 Cwe: CWE-436 Wasc: 24 Reference_from_capec: REF-117 Reference_from_capec: REF-617 Reference_from_capec: REF-679 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Communications Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| DEPRECATED: XSS through Log Files | Detailed | This attack pattern has been deprecated as it referes to an existing chain relationship between "CAPEC-93 : Log Injection-Tampering-Forging" and "CAPEC-63 : Cross-Site Scripting". Please refer to these CAPECs going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-106
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Cross Site Tracing | Detailed | Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server. | The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server. | 2014-06-23 02:00:00 |
Capec: CAPEC-107
Cwe: CWE-693 Cwe: CWE-648 Owasp Attacks: Cross Site Tracing Reference_from_capec: REF-3 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: Understanding of the HTTP protocol and an ability to craft a malicious script | Draft | Very High | 3.9 | |||||||||||||||||||||||||||
| Command Line Execution through SQL Injection | Detailed | An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host. | 2014-06-23 02:00:00 |
Capec: CAPEC-108
Cwe: CWE-89 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-78 Cwe: CWE-114 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
Low |
|
|
High: The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Object Relational Mapping Injection | Detailed | An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible. | 2014-06-23 02:00:00 |
Capec: CAPEC-109
Cwe: CWE-20 Cwe: CWE-89 Cwe: CWE-564 Reference_from_capec: REF-4 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
Low |
|
|
Medium: Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| SQL Injection through SOAP Parameter Tampering | Detailed | An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message. | 2014-06-23 02:00:00 |
Capec: CAPEC-110
Cwe: CWE-89 Cwe: CWE-20 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
High: If the attacker has to perform Blind SQL Injection Medium: If the attacker is able to gain good understanding of the system's database schema | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Double Encoding | Detailed | The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target. | 2014-06-23 02:00:00 |
Capec: CAPEC-120
Cwe: CWE-173 Cwe: CWE-172 Cwe: CWE-177 Cwe: CWE-181 Cwe: CWE-183 Cwe: CWE-184 Cwe: CWE-74 Cwe: CWE-20 Cwe: CWE-697 Cwe: CWE-692 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
Explore
Experiment
|
Low |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Directory Indexing | Detailed | An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-127
Cwe: CWE-424 Cwe: CWE-425 Cwe: CWE-288 Cwe: CWE-285 Cwe: CWE-732 Cwe: CWE-276 Cwe: CWE-693 Attack: T1083 Reference_from_capec: REF-11 |
2021-06-24 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To issue the request to URL without given a specific file name High: To bypass the access control of the directory of listings | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Symlink Attack | Detailed | An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. | The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the adversary may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the adversary may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the adversary to control the actions of the target or to cause the target to expose information to the adversary. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the adversary would normally have. | 2014-06-23 02:00:00 |
Capec: CAPEC-132
Cwe: CWE-59 Attack: T1547.009 Reference_from_capec: REF-13 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Low |
|
|
Low: To create symlinks High: To identify the files and create the symlinks during the file operation time window | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Relative Path Traversal | Detailed | An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \\) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure. | 2014-06-23 02:00:00 |
Capec: CAPEC-139
Cwe: CWE-23 Reference_from_capec: REF-9 Reference_from_capec: REF-10 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Low: To inject the malicious payload in a web page High: To bypass non trivial filters in the application | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| DNS Cache Poisoning | Detailed | A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-142
Cwe: CWE-348 Cwe: CWE-345 Cwe: CWE-349 Cwe: CWE-346 Cwe: CWE-350 Attack: T1584.002 Reference_from_capec: REF-22 Reference_from_capec: REF-23 Reference_from_capec: REF-27 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: To overwrite/modify targeted DNS cache | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Detect Unpublicized Web Pages | Detailed | An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public. | 2014-06-23 02:00:00 |
Capec: CAPEC-143
Cwe: CWE-425 |
2023-01-24 01:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Detect Unpublicized Web Services | Detailed | An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable. | 2014-06-23 02:00:00 |
Capec: CAPEC-144
Cwe: CWE-425 |
2023-01-24 01:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Checksum Spoofing | Detailed | An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred. | 2014-06-23 02:00:00 |
Capec: CAPEC-145
Cwe: CWE-354 |
2019-04-04 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| XML Schema Poisoning | Detailed | An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema. | 2014-06-23 02:00:00 |
Capec: CAPEC-146
Cwe: CWE-15 Cwe: CWE-472 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Low |
|
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||
| XML Ping of the Death | Detailed | An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target. | 2014-06-23 02:00:00 |
Capec: CAPEC-147
Cwe: CWE-400 Cwe: CWE-770 |
2018-07-31 02:00:00 | 2.1 |
Availability:
|
Software |
|
Explore
Exploit
|
Low |
|
|
Low: To send small XML messages High: To use distributed network to launch the attack | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Explore for Predictable Temporary File Names | Detailed | An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-149
Cwe: CWE-377 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Screen Temporary Files for Sensitive Information | Detailed | An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache. | 2014-06-23 02:00:00 |
Capec: CAPEC-155
Cwe: CWE-377 |
2021-10-21 02:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
Medium |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Sniffing Network Traffic | Detailed | In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information. | 2014-06-23 02:00:00 |
Capec: CAPEC-158
Cwe: CWE-311 Attack: T1040 Attack: T1111 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications Software |
None | None |
|
|
Low: Adversaries can obtain and set up open-source network sniffing tools easily. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Manipulating Hidden Fields | Detailed | An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. For example, eShoplifting is a data manipulation attack against an on- line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the adversary to acquire items at a lower cost than the merchant intended. The adversary performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items. | 2014-06-23 02:00:00 |
Capec: CAPEC-162
Cwe: CWE-602 |
2022-02-22 01:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Spear Phishing | Detailed | An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-163
Cwe: CWE-451 Attack: T1534 Attack: T1566.001 Attack: T1566.002 Attack: T1566.003 Attack: T1598.001 Attack: T1598.002 Attack: T1598.003 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Social Engineering |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Spear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the victims, or websites they commonly log into (Google, Facebook, etc). | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Mobile Phishing | Detailed | An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-164
Cwe: CWE-451 Reference_from_capec: REF-590 Reference_from_capec: REF-591 Reference_from_capec: REF-592 Reference_from_capec: REF-593 Reference_from_capec: REF-696 |
2023-01-24 01:00:00 | 2.1 |
|
Integrity:
|
Social Engineering |
|
Explore
Exploit
|
High |
|
|
Medium: Basic knowledge about websites: obtaining them, designing and implementing them, etc. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Windows ::DATA Alternate Data Stream | Detailed | An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams. | 2014-06-23 02:00:00 |
Capec: CAPEC-168
Cwe: CWE-212 Cwe: CWE-69 Owasp Attacks: Windows alternate data stream |
2020-12-17 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Web Application Fingerprinting | Detailed | An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-170
Cwe: CWE-497 Reference_from_capec: REF-36 Reference_from_capec: REF-37 Reference_from_capec: REF-38 Reference_from_capec: REF-39 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
Experiment
|
High |
|
|
Low: Attacker knows how to send HTTP request, SQL query to a web application. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||
| Flash Parameter Injection | Detailed | An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document. | These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document. The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-174
Cwe: CWE-88 Reference_from_capec: REF-40 Reference_from_capec: REF-560 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
Medium: The adversary need inject values into the global parameters to the Flash file and understand the parent HTML document DOM structure. The adversary needs to be smart enough to convince the victim to click on their crafted link. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Create files with the same name as files protected with a higher classification | Detailed | An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name. | 2014-06-23 02:00:00 |
Capec: CAPEC-177
Cwe: CWE-706 Attack: T1036 |
2018-07-31 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Very High | 3.9 | |||||||||||||||||||||||||||||||
| Cross-Site Flashing | Detailed | An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application. | 2014-06-23 02:00:00 |
Capec: CAPEC-178
Cwe: CWE-601 Reference_from_capec: REF-41 Reference_from_capec: REF-42 Reference_from_capec: REF-561 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Social Engineering Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Medium: knowledge of Flash internals, parameters and remote referencing. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Flash File Overlay | Detailed | An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes. | 2014-06-23 02:00:00 |
Capec: CAPEC-181
Cwe: CWE-1021 |
2019-09-30 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Malicious Automated Software Update via Redirection | Detailed | An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code- base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update. | One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains. The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality. | 2014-06-23 02:00:00 |
Capec: CAPEC-187
Cwe: CWE-494 Attack: T1072 |
2022-02-22 01:00:00 | 2.1 |
Availability:
|
Supply Chain Software |
None | High | Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Reverse Engineer an Executable to Expose Assumed Hidden Functionality | Detailed | An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable. Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, inter-process communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications. | 2014-06-23 02:00:00 |
Capec: CAPEC-190
Cwe: CWE-912 Reference_from_capec: REF-51 Reference_from_capec: REF-52 Reference_from_capec: REF-53 |
2020-07-30 02:00:00 | 2.1 |
Software Physical Security |
None | None |
|
Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||
| Read Sensitive Constants Within an Executable | Detailed | An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis. | One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions. Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants. | 2014-06-23 02:00:00 |
Capec: CAPEC-191
Cwe: CWE-798 Attack: T1552.001 Reference_from_capec: REF-51 Reference_from_capec: REF-52 Reference_from_capec: REF-53 |
2022-02-22 01:00:00 | 2.1 |
Software Physical Security |
None | None |
|
|
Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| PHP Remote File Inclusion | Detailed | In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions. | 2014-06-23 02:00:00 |
Capec: CAPEC-193
Cwe: CWE-98 Cwe: CWE-80 Reference_from_capec: REF-59 Reference_from_capec: REF-60 Reference_from_capec: REF-30 Reference_from_capec: REF-621 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To inject the malicious payload in a web page Medium: To bypass filters in the application | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Exponential Data Expansion | Detailed | An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory. | 2014-06-23 02:00:00 |
Capec: CAPEC-197
Cwe: CWE-770 Cwe: CWE-776 Wasc: 44 Reference_from_capec: REF-64 Reference_from_capec: REF-65 Reference_from_capec: REF-66 Reference_from_capec: REF-67 Reference_from_capec: REF-67 |
2022-09-29 02:00:00 | 2.1 |
|
Availability:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: Ability to craft nested data expansion messages. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||
| XSS Targeting Error Pages | Detailed | An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. | When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the adversary the infected error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception. | 2014-06-23 02:00:00 |
Capec: CAPEC-198
Cwe: CWE-81 |
2022-09-29 02:00:00 | 2.1 |
Software Software Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| XSS Using Alternate Syntax | Detailed | An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality. | 2014-06-23 02:00:00 |
Capec: CAPEC-199
Cwe: CWE-87 Reference_from_capec: REF-69 Reference_from_capec: REF-70 Reference_from_capec: REF-71 Reference_from_capec: REF-72 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Software Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Low: To inject the malicious payload in a web page High: To bypass non trivial filters in the application | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Removal of filters: Input filters, output filters, data masking | Detailed | An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content. | For example, if an application accepts scripting languages as input, an input filter could constrain the commands received and block those that the application's administrator deems to be overly powerful. An output filter screens responses from an application or person in order to prevent disclosure of sensitive information. For example, an application's output filter might block output that is sourced to sensitive folders or which contains certain keywords. A data mask is similar to an output filter, but usually applies to structured data, such as found in databases. Data masks elide or replace portions of the information returned from a query in order to protect against the disclosure of sensitive information. If an input filter is removed the attacker will be able to send content to the target and have the target utilize it without it being sanitized. If the content sent by the attacker is executable, the attacker may be able to execute arbitrary commands on the target. If an output filter or data masking mechanism is disabled, the target may send out sensitive information that would otherwise be elided by the filters. If the data mask is disabled, sensitive information stored in a database would be returned unaltered. This could result in the disclosure of sensitive information, such as social security numbers of payment records. This attack is usually executed as part of a larger attack series. The attacker would disable filters and would then mount additional attacks to either insert commands or data or query the target application in ways that would otherwise be prevented by the filters. | 2014-06-23 02:00:00 |
Capec: CAPEC-200
|
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Serialized Data External Linking | Detailed | An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain. | 2014-06-23 02:00:00 |
Capec: CAPEC-201
Cwe: CWE-829 Reference_from_capec: REF-73 Reference_from_capec: REF-74 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software Communications Software |
|
Explore
Exploit
|
High |
|
|
Low: To send serialized data messages with maliciously crafted schema. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Lifting Sensitive Data Embedded in Cache | Detailed | An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information. | 2014-06-23 02:00:00 |
Capec: CAPEC-204
Cwe: CWE-524 Cwe: CWE-311 Cwe: CWE-1239 Cwe: CWE-1258 Attack: T1005 |
2022-09-29 02:00:00 | 2.1 |
Software Physical Security Hardware |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Lifting credential(s)/key material embedded in client distributions (thick or thin) | Detailed | This attack pattern has been deprecated as it is a duplicate of CAPEC-37 : Retrieve Embedded Sensitive Data. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-205
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Signing Malicious Code | Detailed | The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing. | 2014-06-23 02:00:00 |
Capec: CAPEC-206
Cwe: CWE-732 Attack: T1553.002 Reference_from_capec: REF-699 Reference_from_capec: REF-700 Reference_from_capec: REF-714 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain Software |
|
Explore
Experiment
Exploit
|
None |
|
|
Draft | Very High | 3.9 | ||||||||||||||||||||||||||||||
| Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements | Detailed | An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities. | 2014-06-23 02:00:00 |
Capec: CAPEC-208
Cwe: CWE-602 |
2017-08-04 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| XSS Using MIME Type Mismatch | Detailed | An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser. | 2014-06-23 02:00:00 |
Capec: CAPEC-209
Cwe: CWE-79 Cwe: CWE-20 Cwe: CWE-646 Reference_from_capec: REF-78 |
2022-02-22 01:00:00 | 2.1 |
Software |
|
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| DEPRECATED: Leveraging web tools (e.g. Mozilla's GreaseMonkey, Firebug) to change application behavior | Detailed | This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. | 2014-06-23 02:00:00 |
Capec: CAPEC-211
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping | Detailed | This attack pattern has been deprecated as it was merged into "CAPEC-215 : Fuzzing for application mapping". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-214
|
2020-12-17 01:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Fuzzing for application mapping | Detailed | An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. | By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. In applications that return a stack trace along with the error, this can enumerate the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information. | 2014-06-23 02:00:00 |
Capec: CAPEC-215
Cwe: CWE-209 Cwe: CWE-532 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Although fuzzing parameters is not difficult, and often possible with automated fuzzing tools, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design. | Draft | Low | 3.9 | |||||||||||||||||||||||||||
| Spoofing of UDDI/ebXML Messages | Detailed | An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud. | 2014-06-23 02:00:00 |
Capec: CAPEC-218
Cwe: CWE-345 |
2019-04-04 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Data Serialization External Entities Blowup | Detailed | This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI. | 2014-06-23 02:00:00 |
Capec: CAPEC-221
Cwe: CWE-611 Wasc: 43 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Software |
|
Explore
Experiment
Exploit
|
None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||
| iFrame Overlay | Detailed | In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. | While being logged in to some target system, the victim visits the adversarys' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on. | 2014-06-23 02:00:00 |
Capec: CAPEC-222
Cwe: CWE-1021 Reference_from_capec: REF-84 Reference_from_capec: REF-85 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
Medium |
|
|
High: Crafting the proper malicious site and luring the victim to this site is not a trivial task. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| Session Credential Falsification through Manipulation | Detailed | An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server. | For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service. | 2014-06-23 02:00:00 |
Capec: CAPEC-226
Cwe: CWE-565 Cwe: CWE-472 |
2022-02-22 01:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| DTD Injection | Detailed | An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion. | 2014-06-23 02:00:00 |
Capec: CAPEC-228
Cwe: CWE-829 Reference_from_capec: REF-86 |
2020-12-17 01:00:00 | 2.1 |
Software |
Explore
Exploit
|
None |
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||||
| Serialized Data Parameter Blowup | Detailed | This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific. | 2014-06-23 02:00:00 |
Capec: CAPEC-229
Cwe: CWE-770 Wasc: 41 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
Explore
Exploit
|
High |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Implementing a callback to system routine (old AWT Queue) | Detailed | This attack pattern has been deprecated. Please refer to CAPEC:30 - Hijacking a Privileged Thread of Execution. | 2014-06-23 02:00:00 |
Capec: CAPEC-235
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Catching exception throw/signal from privileged block | Detailed | This attack pattern has been deprecated as it did not have enough distinction from CAPEC-30 : Hijacking a Privileged Thread of Execution. Please refer to CAPEC-30 moving forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-236
|
2021-10-21 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Escaping a Sandbox by Calling Code in Another Language | Detailed | The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries. | 2014-06-23 02:00:00 |
Capec: CAPEC-237
Cwe: CWE-693 Reference_from_capec: REF-91 Reference_from_capec: REF-92 |
2020-12-17 01:00:00 | 2.1 |
Authorization:
|
Software |
|
Explore
Experiment
Exploit
|
Low |
|
High: The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail. | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||
| DEPRECATED: Using URL/codebase / G.A.C. (code source) to convince sandbox of privilege | Detailed | This attack pattern has been deprecated as it did not appear to be a valid attack pattern. | 2014-06-23 02:00:00 |
Capec: CAPEC-238
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Subversion of Authorization Checks: Cache Filtering, Programmatic Security, etc. | Detailed | This attack pattern has been deprecated as it did not contain any content and did not serve any useful purpose. Please refer to "CAPEC-207: removing Important Client Functionality" going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-239
|
2019-04-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| XSS Targeting HTML Attributes | Detailed | An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities. | 2014-06-23 02:00:00 |
Capec: CAPEC-243
Cwe: CWE-83 Reference_from_capec: REF-94 |
2022-02-22 01:00:00 | 2.1 |
Software Software Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| XSS Targeting URI Placeholders | Detailed | An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link. | 2014-06-23 02:00:00 |
Capec: CAPEC-244
Cwe: CWE-83 Reference_from_capec: REF-70 Reference_from_capec: REF-96 Reference_from_capec: REF-72 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software Software Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: To inject the malicious payload in a web page | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| XSS Using Doubled Characters | Detailed | The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the adversary can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-245
Cwe: CWE-85 Reference_from_capec: REF-99 |
2022-02-22 01:00:00 | 2.1 |
Software Software Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: XSS Using Flash | Detailed | This pattern has been deprecated as it is covered by a chaining relationship between CAPEC-174: Flash Parameter Injection and CAPEC-591: Stored XSS. Please refer to these CAPECs going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-246
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| XSS Using Invalid Characters | Detailed | An adversary inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the adversary to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results. | 2014-06-23 02:00:00 |
Capec: CAPEC-247
Cwe: CWE-86 |
2022-02-22 01:00:00 | 2.1 |
Software Software Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| PHP Local File Inclusion | Detailed | The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways. | 2014-06-23 02:00:00 |
Capec: CAPEC-252
Cwe: CWE-829 Reference_from_capec: REF-621 |
2021-10-21 02:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: DTD Injection in a SOAP Message | Detailed | This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the pattern CAPEC-228 : DTD Injection going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-254
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| SOAP Array Overflow | Detailed | An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array. | 2014-06-23 02:00:00 |
Capec: CAPEC-256
Cwe: CWE-805 Wasc: 35 Reference_from_capec: REF-102 Reference_from_capec: REF-103 |
2021-10-21 02:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update | Detailed | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-65 : Sniff Application Code". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-258
|
2017-08-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Initial Distribution | Detailed | This attack pattern has been deprecated as it is a duplicate of the existing attack pattern "CAPEC-65 : Sniff Application Code". Please refer to this other CAPEC going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-260
|
2017-08-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Fuzzing for garnering other adjacent user/sensitive data | Detailed | An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide. | Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. If the server does not verify that the query matches one of the expected templates, an adversary who is allowed to send normal queries could modify their query to try to return additional information. The adversary may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation. | 2014-06-23 02:00:00 |
Capec: CAPEC-261
Cwe: CWE-20 |
2022-02-22 01:00:00 | 2.1 |
Software |
|
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Force Use of Corrupted Files | Detailed | This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible. | 2014-06-23 02:00:00 |
Capec: CAPEC-263
Cwe: CWE-829 |
2019-04-04 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Modification of Registry Run Keys | Detailed | An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger. | 2014-06-23 02:00:00 |
Capec: CAPEC-270
Cwe: CWE-15 Attack: T1547.001 Attack: T1547.014 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| HTTP Response Smuggling | Detailed | An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server). See CanPrecede relationships for possible consequences. | In the maliciously manipulated HTTP response, an adversary can add duplicate header fields that HTTP agents interpret as belonging to separate responses. The combined HTTP response ends up being parsed or interpreted as two or more HTTP responses by the targeted client HTTP agent. This allows malicious HTTP responses to bypass security controls. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses. This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 4.4.3 and section 4.2 and are related to ordering and precedence of these headers. [REF-38] Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages. This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents. This differs from CAPEC-33 HTTP Request Smuggling, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Smuggling is an attempt to compromise aclient agent (e.g., web browser). HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest. | 2014-06-23 02:00:00 |
Capec: CAPEC-273
Cwe: CWE-74 Cwe: CWE-436 Cwe: CWE-444 Wasc: 27 Reference_from_capec: REF-38 Reference_from_capec: REF-117 Reference_from_capec: REF-675 Reference_from_capec: REF-676 Reference_from_capec: REF-677 Reference_from_capec: REF-678 |
2022-09-29 02:00:00 | 2.1 |
|
Integrity:
|
Communications Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Medium: Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers. | Stable | High | 3.9 | ||||||||||||||||||||||||||
| HTTP Verb Tampering | Detailed | An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected. | 2014-06-23 02:00:00 |
Capec: CAPEC-274
Cwe: CWE-302 Cwe: CWE-654 Reference_from_capec: REF-118 |
2019-09-30 02:00:00 | 2.1 |
Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| DNS Rebinding | Detailed | An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary. | Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. This allows adversaries to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the adversary identifies, additional attacks are possible. This attack differs from pharming attacks in that the adversary is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services. | 2014-06-23 02:00:00 |
Capec: CAPEC-275
Cwe: CWE-350 Reference_from_capec: REF-119 Reference_from_capec: REF-120 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Setup DNS server and the adversary's web server. Write a malicious script to allow the victim to connect to the web server. | Draft | Very High | 3.9 | |||||||||||||||||||||||||||
| SOAP Manipulation | Detailed | Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-279
Cwe: CWE-707 Reference_from_capec: REF-121 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Communications Software |
Exploit
Experiment
|
Medium |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: SOAP Parameter Tampering | Detailed | This attack pattern has been deprecated as its contents have been included in CAPEC-279 : SOAP Manipulation. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-280
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| ICMP Echo Request Ping | Detailed | An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round- trip time, and measure the percentage of packet loss. | Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the adversary is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An adversary can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc. | 2014-06-23 02:00:00 |
Capec: CAPEC-285
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-123 Reference_from_capec: REF-124 Reference_from_capec: REF-125 Reference_from_capec: REF-34 |
2022-02-22 01:00:00 | 2.1 |
Confidentiality:
|
Software |
None | Medium |
|
|
Low: The adversary needs to know certain linux commands for this type of attack. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||
| TCP SYN Scan | Detailed | An adversary uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its many advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method, the primary advantages of SYN scanning are its universality and speed. | RFC 793 defines the required behavior of any TCP/IP device in that an incoming connection request begins with a SYN packet, which in turn must be followed by a SYN/ACK packet from the receiving service. For this reason, like TCP Connect scanning, SYN scanning works against any TCP stack. Unlike TCP Connect scanning, it is possible to scan thousands of ports per second using this method. This type of scanning is usually referred to as 'half-open' scanning because it does not complete the three-way handshake. The scanning rate is extremely fast because no time is wasted completing the handshake or tearing down the connection. This technique allows an attacker to scan through stateful firewalls due to the common configuration that TCP SYN segments for a new connection will be allowed for almost any port. TCP SYN scanning can also immediately detect 3 of the 4 important types of port status: open, closed, and filtered. | 2014-06-23 02:00:00 |
Capec: CAPEC-287
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Enumerate Mail Exchange (MX) Records | Detailed | An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible. | 2014-06-23 02:00:00 |
Capec: CAPEC-290
Cwe: CWE-200 Reference_from_capec: REF-33 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | None |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| DNS Zone Transfers | Detailed | An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP address and valid hostnames. Under certain conditions, it may even be possible to obtain Zone data about the organization's internal network. When successful the attacker learns valuable information about the topology of the target organization, including information about particular servers, their role within the IT structure, and possibly information about the operating systems running upon the network. This is configuration dependent behavior so it may also be required to search out multiple DNS servers while attempting to find one with ZONE transfers allowed. | 2014-06-23 02:00:00 |
Capec: CAPEC-291
Cwe: CWE-200 Reference_from_capec: REF-33 |
2018-07-31 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | None |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Traceroute Route Enumeration | Detailed | An adversary uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can allow the adversary to construct a working topology of systems and routers by listing the systems through which data passes through on their way to the targeted machine. This attack can return varied results depending upon the type of traceroute that is performed. Traceroute works by sending packets to a target while incrementing the Time-to-Live field in the packet header. As the packet traverses each hop along its way to the destination, its TTL expires generating an ICMP diagnostic message that identifies where the packet expired. Traditional techniques for tracerouting involved the use of ICMP and UDP, but as more firewalls began to filter ingress ICMP, methods of traceroute using TCP were developed. | 2014-06-23 02:00:00 |
Capec: CAPEC-293
Cwe: CWE-200 Reference_from_capec: REF-33 |
2018-07-31 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | None |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| ICMP Address Mask Request | Detailed | An adversary sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration. ICMP Address Mask Requests are defined by RFC-950, "Internet Standard Subnetting Procedure." An Address Mask Request is an ICMP type 17 message that triggers a remote system to respond with a list of its related subnets, as well as its default gateway and broadcast address via an ICMP type 18 Address Mask Reply datagram. Gathering this type of information helps the adversary plan router-based attacks as well as denial-of-service attacks against the broadcast address. | Many modern operating systems will not respond to ICMP type 17 messages for security reasons. Determining whether a system or router will respond to an ICMP Address Mask Request helps the adversary determine operating system or firmware version. Additionally, because these types of messages are rare, they are easily spotted by intrusion detection systems. Many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 17 and egress ICMP type 18 messages. | 2014-06-23 02:00:00 |
Capec: CAPEC-294
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-139 Reference_from_capec: REF-123 Reference_from_capec: REF-125 Reference_from_capec: REF-34 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
None | None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Timestamp Request | Detailed | This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms. | 2014-06-23 02:00:00 |
Capec: CAPEC-295
Cwe: CWE-200 Attack: T1124 Reference_from_capec: REF-33 Reference_from_capec: REF-123 Reference_from_capec: REF-124 Reference_from_capec: REF-125 Reference_from_capec: REF-147 |
2019-09-30 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
None | None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| ICMP Information Request | Detailed | An adversary sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism. ICMP Information Requests are a deprecated message type. Information Requests were originally used for diskless machines to automatically obtain their network configuration, but this message type has been superseded by more robust protocol implementations like DHCP. | 2014-06-23 02:00:00 |
Capec: CAPEC-296
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-123 Reference_from_capec: REF-124 Reference_from_capec: REF-125 Reference_from_capec: REF-34 |
2019-09-30 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | None |
|
|
Low: The adversary needs to know certain linux commands for this type of attack. | Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| TCP ACK Ping | Detailed | An adversary sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, the adversary can identify that the host is alive by looking for a RST packet. Typically, a remote server will respond with a RST regardless of whether a port is open or closed. In this way, TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping can be used to discover if a host is alive via RST response packets sent from the host. | 2014-06-23 02:00:00 |
Capec: CAPEC-297
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-125 |
2019-09-30 02:00:00 | 2.1 |
Authorization:
|
Software |
None | None |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| UDP Ping | Detailed | An adversary sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an 'ICMP port unreachable' message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts. | 2014-06-23 02:00:00 |
Capec: CAPEC-298
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-158 Reference_from_capec: REF-125 Reference_from_capec: REF-34 |
2019-09-30 02:00:00 | 2.1 |
Authorization:
|
Software |
None | None |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP SYN Ping | Detailed | An adversary uses TCP SYN packets as a means towards host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three- way handshake' - by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response. | Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present, SYN pings are preferable to ACK pings because a stateful firewall will typically drop all unsolicited ACK packets as they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. Often, an adversary will alternate between SYN and ACK pings to discover if a host is alive. | 2014-06-23 02:00:00 |
Capec: CAPEC-299
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-125 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
None | None |
|
|
Low: The adversary needs to know how to craft and send protocol commands from the command line or within a tool. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||
| TCP Connect Scan | Detailed | An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. | RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming (performing a full TCP connect scan against a host can take multiple days). Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports. | 2014-06-23 02:00:00 |
Capec: CAPEC-301
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Confidentiality:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| TCP FIN Scan | Detailed | An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. | In addition to its relative speed in comparison with other types of scans, the major advantage a TCP FIN Scan is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. FIN packets, like out-of-state ACK packets, tend to pass through such devices undetected. FIN scanning is still relatively stealthy as the packets tend to blend in with the background noise on a network link. | 2014-06-23 02:00:00 |
Capec: CAPEC-302
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-147 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| TCP Xmas Scan | Detailed | An adversary uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with all possible flags set in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. | In addition to its relative speed when compared with other types of scans, its major advantage is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. XMAS packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, XMAS scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule- breaking nature, XMAS scans are flagged by almost all intrusion prevention or intrusion detection systems. | 2014-06-23 02:00:00 |
Capec: CAPEC-303
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Availability:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| TCP Null Scan | Detailed | An adversary uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of- state Flag sent to an open port is discarded, whereas segments with out-of- state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. | In addition to being fast, the major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, NULL scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule- breaking nature, NULL scans are flagged by almost all intrusion prevention or intrusion detection systems. | 2014-06-23 02:00:00 |
Capec: CAPEC-304
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| TCP ACK Scan | Detailed | An adversary uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover information about filter configurations rather than port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, gives a more complete picture of the type of firewall rules that are present. | When a TCP ACK segment is sent to a closed port, or sent out-of-sync to a listening port, the RFC 793 expected behavior is for the device to respond with a RST. Getting RSTs back in response to a ACK scan gives the attacker useful information that can be used to infer the type of firewall present. Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs the port is marked as filtered. When RSTs are received in response, the ports are marked as unfiltered, as the ACK packets solicited the expected behavior from a port. When combined with SYN techniques an attacker can gain a more complete picture of which types of packets get through to a host and thereby map out its firewall rule-set. ACK scanning, when combined with SYN scanning, also allows the adversary to analyze whether a firewall is stateful or non-stateful (described in notes). TCP ACK Scans are somewhat faster and more stealthy than other types of scans but often requires rather sophisticated analysis by an experienced person. A skilled adversary may use this method to map out firewall rules, but the results of ACK scanning will be less useful to a novice. | 2014-06-23 02:00:00 |
Capec: CAPEC-305
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| TCP Window Scan | Detailed | An adversary engages in TCP Window scanning to analyze port status and operating system type. TCP Window scanning uses the ACK scanning method but examine the TCP Window Size field of response RST packets to make certain inferences. While TCP Window Scans are fast and relatively stealthy, they work against fewer TCP stack implementations than any other type of scan. Some operating systems return a positive TCP window size when a RST packet is sent from an open port, and a negative value when the RST originates from a closed port. TCP Window scanning is one of the most complex scan types, and its results are difficult to interpret. Window scanning alone rarely yields useful information, but when combined with other types of scanning is more useful. It is a generally more reliable means of making inference about operating system versions than port status. | 2014-06-23 02:00:00 |
Capec: CAPEC-306
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2020-12-17 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP RPC Scan | Detailed | An adversary scans for RPC services listing on a Unix/Linux host. | This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port. Discovering RPC services gives the adversary potential targets to attack, as some RPC services are insecure by default. Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types, are easily detected by IPS/IDS systems, and can only detect open ports when an RPC service responds. ICMP diagnostic message responses can help identify closed ports, however filtered and unfiltered ports cannot be identified through TCP RPC scans. There are two general approaches to RPC scanning: One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly. | 2014-06-23 02:00:00 |
Capec: CAPEC-307
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-158 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| UDP Scan | Detailed | An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port. | During a UDP scan, a datagram is sent to a target port. If an 'ICMP Type 3 Port unreachable' error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port. UDP scanning is slower than TCP scanning. The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning. | 2014-06-23 02:00:00 |
Capec: CAPEC-308
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-158 Reference_from_capec: REF-34 Reference_from_capec: REF-130 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Communications Software |
Experiment
|
None |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Scanning for Vulnerable Software | Detailed | An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services. Vulnerable or exploitable network configurations, such as improperly firewalled systems, or misconfigured systems in the DMZ or external network, provide windows of opportunity for an attacker. Common types of vulnerable software include unpatched operating systems or services (e.g FTP, Telnet, SMTP, SNMP) running on open ports that the attacker has identified. Attackers usually begin probing for vulnerable software once the external network has been port scanned and potential targets have been revealed. | 2014-06-23 02:00:00 |
Capec: CAPEC-310
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-130 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | None |
|
|
Medium: To probe a system remotely without detection requires careful planning and patience. | Draft | Low | 3.9 | |||||||||||||||||||||||||||||
| IP ID Sequencing Probe | Detailed | This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis - IP 'ID' Sequencing: analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host and Shared IP 'ID' Sequencing: analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP. | 2014-06-23 02:00:00 |
Capec: CAPEC-317
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 Reference_from_capec: REF-130 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium | Stable | Low | 3.9 | ||||||||||||||||||||||||||||||||
| IP 'ID' Echoed Byte-Order Probe | Detailed | This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP datagram with an arbitrary IP 'ID' value to a closed port on the remote host to observe the manner in which this bit is echoed back in the ICMP error message. The identification field (ID) is typically utilized for reassembling a fragmented packet. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within an ICMP error message. | 2014-06-23 02:00:00 |
Capec: CAPEC-318
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 Reference_from_capec: REF-130 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium | Stable | Low | 3.9 | ||||||||||||||||||||||||||||||||
| IP (DF) 'Don't Fragment Bit' Echoing Probe | Detailed | This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet. An attacker sends a UDP datagram with the DF bit set to a closed port on the remote host to observe whether the 'DF' bit is set in the response packet. Some operating systems will echo the bit in the ICMP error message while others will zero out the bit in the response packet. | 2014-06-23 02:00:00 |
Capec: CAPEC-319
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 Reference_from_capec: REF-130 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium | Stable | Low | 3.9 | ||||||||||||||||||||||||||||||||
| TCP Timestamp Probe | Detailed | This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header. | 2014-06-23 02:00:00 |
Capec: CAPEC-320
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
Explore
Experiment
|
Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP Sequence Number Probe | Detailed | This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1) the Sequence Number generated by the target is Zero, 2) the Sequence Number generated by the target is the same as the acknowledgement number in the probe, 3) the Sequence Number generated by the target is the acknowledgement number plus one, or 4) the Sequence Number is any other non- zero number. | 2014-06-23 02:00:00 |
Capec: CAPEC-321
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP (ISN) Greatest Common Divisor Probe | Detailed | This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version. | 2014-06-23 02:00:00 |
Capec: CAPEC-322
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP (ISN) Counter Rate Probe | Detailed | This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches. | 2014-06-23 02:00:00 |
Capec: CAPEC-323
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP (ISN) Sequence Predictability Probe | Detailed | This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version. | 2014-06-23 02:00:00 |
Capec: CAPEC-324
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 Reference_from_capec: REF-130 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP Congestion Control Flag (ECN) Probe | Detailed | This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types. | 2014-06-23 02:00:00 |
Capec: CAPEC-325
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP Initial Window Size Probe | Detailed | This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the "connected" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection. | 2014-06-23 02:00:00 |
Capec: CAPEC-326
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP Options Probe | Detailed | This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic. | 2014-06-23 02:00:00 |
Capec: CAPEC-327
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| TCP 'RST' Flag Checksum Probe | Detailed | This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality. | 2014-06-23 02:00:00 |
Capec: CAPEC-328
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-128 Reference_from_capec: REF-212 |
2018-07-31 02:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| ICMP Error Message Quoting Probe | Detailed | An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or "Quoted" from the originating request that generated the ICMP error message. | For this purpose "Port Unreachable" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply. This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: "Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...]." This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because "older" or "legacy" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data. | 2014-06-23 02:00:00 |
Capec: CAPEC-329
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-123 Reference_from_capec: REF-124 Reference_from_capec: REF-262 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| ICMP Error Message Echoing Integrity Probe | Detailed | An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message. | A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version. For this purpose "Port Unreachable" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value. | 2014-06-23 02:00:00 |
Capec: CAPEC-330
Cwe: CWE-200 Reference_from_capec: REF-33 Reference_from_capec: REF-123 Reference_from_capec: REF-124 Reference_from_capec: REF-262 |
2022-02-22 01:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| ICMP IP Total Length Field Probe | Detailed | An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses. | RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart: 1) the IP total length field may be calculated correctly, 2) an operating system may add 20 or more additional bytes to the length calculation, 3) the operating system may subtract 20 or more bytes from the correct length of the field or 4) the IP total length field is calculated with any other incorrect value. | 2014-06-23 02:00:00 |
Capec: CAPEC-331
Cwe: CWE-204 Reference_from_capec: REF-33 Reference_from_capec: REF-123 Reference_from_capec: REF-124 Reference_from_capec: REF-262 |
2023-01-24 01:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| ICMP IP 'ID' Field Error Message Probe | Detailed | An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors. | The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are three behaviors related to the IP ID field that can be used to distinguish remote operating systems or firmware: 1) it is echoed back identically to the bit order of the ID field in the original IP header, 2) it is echoed back, but the byte order has been reversed, or it contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging. | 2014-06-23 02:00:00 |
Capec: CAPEC-332
Cwe: CWE-204 Reference_from_capec: REF-33 Reference_from_capec: REF-123 Reference_from_capec: REF-124 Reference_from_capec: REF-262 |
2023-01-24 01:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Harvesting Information via API Event Monitoring | Detailed | An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script. | 2014-06-23 02:00:00 |
Capec: CAPEC-383
Cwe: CWE-311 Cwe: CWE-319 Cwe: CWE-419 Cwe: CWE-602 Attack: T1056.004 Reference_from_capec: REF-327 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Social Engineering Social Engineering Software |
None | None |
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Transaction or Event Tampering via Application API Manipulation | Detailed | An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process. | 2014-06-23 02:00:00 |
Capec: CAPEC-385
Cwe: CWE-471 Cwe: CWE-345 Cwe: CWE-346 Cwe: CWE-602 Cwe: CWE-311 Reference_from_capec: REF-327 |
2021-06-24 02:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Navigation Remapping To Propagate Malicious Content | Detailed | An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic. | Performing this attack allows the adversary to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the adversarys' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the adversarys' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the adversary to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system in order to change the destination of various application interface elements. | 2014-06-23 02:00:00 |
Capec: CAPEC-387
Cwe: CWE-471 Cwe: CWE-345 Cwe: CWE-346 Cwe: CWE-602 Cwe: CWE-311 Reference_from_capec: REF-327 |
2022-09-29 02:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Application API Button Hijacking | Detailed | An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination. | 2014-06-23 02:00:00 |
Capec: CAPEC-388
Cwe: CWE-471 Cwe: CWE-345 Cwe: CWE-346 Cwe: CWE-602 Cwe: CWE-311 Reference_from_capec: REF-327 |
2022-09-29 02:00:00 | 2.1 |
Communications Software |
|
None | None |
|
|
Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Content Spoofing Via Application API Manipulation | Detailed | An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. | 2014-06-23 02:00:00 |
Capec: CAPEC-389
Cwe: CWE-353 Reference_from_capec: REF-327 |
2021-06-24 02:00:00 | 2.1 |
Communications Software |
None | None |
|
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Lock Bumping | Detailed | An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened. | 2014-06-23 02:00:00 |
Capec: CAPEC-392
Reference_from_capec: REF-33 |
2019-09-30 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Lock Picking | Detailed | An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non- invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick). | 2014-06-23 02:00:00 |
Capec: CAPEC-393
Reference_from_capec: REF-33 |
2019-09-30 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Using a Snap Gun Lock to Force a Lock | Detailed | An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with. | 2014-06-23 02:00:00 |
Capec: CAPEC-394
Reference_from_capec: REF-33 |
2019-09-30 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Cloning Magnetic Strip Cards | Detailed | An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original. | 2014-06-23 02:00:00 |
Capec: CAPEC-397
Reference_from_capec: REF-33 |
2019-09-30 02:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Magnetic Strip Card Brute Force Attacks | Detailed | An adversary analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals. | Often, magnetic strip encoding methods follow a common format for a given system laid out in up to three tracks. A single card may allow access to a corporate office complex shared by multiple companies. By analyzing how the data is stored on a card, it is also possible to create valid cards via brute- force attacks. For example, a single card can grant access to a building, a floor, and a suite number. Reading and analyzing data on multiple cards, then performing a difference analysis between data encoded on three different cards, can reveal clues as to how to generate valid cards that grant access to restricted areas of a building or suites/rooms within that building. Data stored on magstripe cards is often unencrypted, therefore comparing which data changes when two or more cards are analyzed can yield results that aid in determining the structure of the card data. A trivial example would be a common system data format on a data track which binary encodes the suite number of a building that a card will open. By creating multiple cards with differing binary encoded segments it becomes possible to enter unauthorized areas or pass through checkpoints giving the electronic ID of other persons. | 2014-06-23 02:00:00 |
Capec: CAPEC-398
Reference_from_capec: REF-33 |
2022-02-22 01:00:00 | 2.1 |
Physical Security |
None | None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| Cloning RFID Cards or Chips | Detailed | An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse. | RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification. | 2014-06-23 02:00:00 |
Capec: CAPEC-399
Reference_from_capec: REF-33 |
2022-02-22 01:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| RFID Chip Deactivation or Destruction | Detailed | An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it. | When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system. Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range. | 2014-06-23 02:00:00 |
Capec: CAPEC-400
Reference_from_capec: REF-33 |
2022-02-22 01:00:00 | 2.1 |
Physical Security |
None | None | Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Bypassing ATA Password Security | Detailed | An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password. | 2014-06-23 02:00:00 |
Capec: CAPEC-402
Cwe: CWE-285 Reference_from_capec: REF-33 Reference_from_capec: REF-701 Reference_from_capec: REF-702 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain Physical Security Hardware |
|
None | None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| Dumpster Diving | Detailed | An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more, including hardware devices. By collecting this information an adversary may be able to learn important facts about the person or organization that play a role in helping the adversary in their attack. | 2014-06-23 02:00:00 |
Capec: CAPEC-406
Reference_from_capec: REF-348 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Physical Security |
None | None |
|
Stable | Low | 3.9 | |||||||||||||||||||||||||||||||
| Pretexting via Customer Service | Detailed | An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number. | 2014-06-23 02:00:00 |
Capec: CAPEC-412
Reference_from_capec: REF-348 |
2019-09-30 02:00:00 | 2.1 |
Social Engineering Social Engineering |
None | None | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||||
| Pretexting via Tech Support | Detailed | An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. An adversary who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an adversary physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email. | 2014-06-23 02:00:00 |
Capec: CAPEC-413
Reference_from_capec: REF-348 |
2019-09-30 02:00:00 | 2.1 |
Social Engineering Social Engineering |
None | None | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||||
| Pretexting via Delivery Person | Detailed | An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and "deliveries" in order to be able to pull it off. | 2014-06-23 02:00:00 |
Capec: CAPEC-414
Reference_from_capec: REF-348 |
2019-09-30 02:00:00 | 2.1 |
Social Engineering Social Engineering |
None | None | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||||
| Pretexting via Phone | Detailed | An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel. | 2014-06-23 02:00:00 |
Capec: CAPEC-415
Reference_from_capec: REF-348 |
2019-09-30 02:00:00 | 2.1 |
Social Engineering Social Engineering |
None | None | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||||
| Influence Perception of Reciprocation | Detailed | An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily. | 2014-06-23 02:00:00 |
Capec: CAPEC-418
Reference_from_capec: REF-348 Reference_from_capec: REF-360 |
2017-08-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
|
None | Medium |
|
|
Low: The adversary requires strong inter-personal and communication skills. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Influence Perception of Scarcity | Detailed | The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adversary. By conveying a perception of scarcity, or a situation of limited supply, the adversary aims to create a sense of urgency in the context of a target's decision-making process. | 2014-06-23 02:00:00 |
Capec: CAPEC-420
Reference_from_capec: REF-348 |
2017-08-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
|
None | High |
|
|
Low: The adversary requires strong inter-personal and communication skills. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||
| Influence Perception of Authority | Detailed | An adversary uses a social engineering technique to convey a sense of authority that motivates the target to reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization, an adversary may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the adversary. | 2014-06-23 02:00:00 |
Capec: CAPEC-421
Reference_from_capec: REF-348 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
|
None | High |
|
|
Low: The adversary requires strong inter-personal and communication skills. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||
| Influence Perception of Commitment and Consistency | Detailed | An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions. After complying with a request, individuals are more likely to agree to subsequent requests that are similar in type and required effort. | 2014-06-23 02:00:00 |
Capec: CAPEC-422
Reference_from_capec: REF-348 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Social Engineering |
None | High |
|
|
Low: The adversary requires strong inter-personal and communication skills. | Stable | Low | 3.9 | |||||||||||||||||||||||||||||
| Influence Perception of Liking | Detailed | The adversary influences the target's actions by building a relationship where the target has a liking to the adversary. People are more likely to be influenced by people of whom they are fond, so the adversary attempts to ingratiate themself with the target via actions, appearance, or a combination thereof. | 2014-06-23 02:00:00 |
Capec: CAPEC-423
Reference_from_capec: REF-348 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
None | Medium |
|
Low: The adversary requires strong inter-personal and communication skills. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Influence Perception of Consensus or Social Proof | Detailed | The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate. In situations of uncertainty, people tend to behave in ways they see others behaving. The adversary convinces the target of adopting behavior or actions that is advantageous to the adversary. | 2014-06-23 02:00:00 |
Capec: CAPEC-424
Reference_from_capec: REF-348 |
2017-08-04 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
None | Low |
|
Low: The adversary requires strong inter-personal and communication skills. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Influence via Modes of Thinking | Detailed | The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the adversary has adapted their communication forms to match those of the target. When skillfully employed, the target is likely to be unaware that they are being manipulated. | 2014-06-23 02:00:00 |
Capec: CAPEC-428
Reference_from_capec: REF-348 |
2017-05-01 02:00:00 | 2.1 |
Social Engineering |
None | None | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||||
| Target Influence via Eye Cues | Detailed | The adversary gains information via non-verbal means from the target through eye movements. | 2014-06-23 02:00:00 |
Capec: CAPEC-429
Reference_from_capec: REF-348 |
2017-08-04 02:00:00 | 2.1 |
Social Engineering |
None | None | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||||
| DEPRECATED: Target Influence via Micro-Expressions | Detailed | This attack pattern has been deprecated. | 2014-06-23 02:00:00 |
Capec: CAPEC-430
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Target Influence via Neuro-Linguistic Programming (NLP) | Detailed | This attack pattern has been deprecated. | 2014-06-23 02:00:00 |
Capec: CAPEC-431
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Target Influence via Voice in NLP | Detailed | This attack pattern has been deprecated. | 2014-06-23 02:00:00 |
Capec: CAPEC-432
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Target Influence via The Human Buffer Overflow | Detailed | An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message. | The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human "buffer overflow" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving. | 2014-06-23 02:00:00 |
Capec: CAPEC-433
Reference_from_capec: REF-348 |
2022-02-22 01:00:00 | 2.1 |
Social Engineering |
None | None | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||
| Target Influence via Interview and Interrogation | Detailed | 2014-06-23 02:00:00 |
Capec: CAPEC-434
Reference_from_capec: REF-348 |
2014-06-23 02:00:00 | 2.1 |
Social Engineering |
None | None | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||||
| Target Influence via Instant Rapport | Detailed | 2014-06-23 02:00:00 |
Capec: CAPEC-435
Reference_from_capec: REF-348 |
2014-06-23 02:00:00 | 2.1 |
Social Engineering |
None | None | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||||
| Malicious Logic Inserted Into Product by Authorized Developer | Detailed | An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product. | Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In further cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment. | 2014-06-23 02:00:00 |
Capec: CAPEC-443
Attack: T1195.002 Attack: T1195.003 Reference_from_capec: REF-379 Reference_from_capec: REF-704 Reference_from_capec: REF-705 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Supply Chain Software Hardware |
|
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Malicious Logic Insertion into Product Software via Configuration Management Manipulation | Detailed | An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server. | Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an adversary who has compromised the server can alter the software baseline that clients must install, allowing the adversary to compromise a large number of satellite machines using the configuration management system. If an adversary can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment. | 2014-06-23 02:00:00 |
Capec: CAPEC-445
Attack: T1195.001 Reference_from_capec: REF-379 Reference_from_capec: REF-706 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Supply Chain Software |
|
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Malicious Logic Insertion into Product via Inclusion of Third-Party Component | Detailed | An adversary conducts supply chain attacks by the inclusion of insecure third- party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer. | The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment. | 2014-06-23 02:00:00 |
Capec: CAPEC-446
Attack: T1195 Reference_from_capec: REF-379 Reference_from_capec: REF-707 Reference_from_capec: REF-708 Reference_from_capec: REF-709 Reference_from_capec: REF-713 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Supply Chain Software Hardware |
|
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Embed Virus into DLL | Detailed | An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop. | 2014-06-23 02:00:00 |
Capec: CAPEC-448
Cwe: CWE-506 Attack: T1027.009 |
2023-01-24 01:00:00 | 2.1 |
Authorization:
|
Software |
None | Medium |
|
Stable | High | 3.9 | |||||||||||||||||||||||||||||||
| DEPRECATED: Malware Propagation via USB Stick | Detailed | This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-449
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Malware Propagation via Infected Peripheral Device | Detailed | This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-451
|
2018-07-31 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Modification of Existing Components with Counterfeit Hardware | Detailed | This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-454
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| DEPRECATED: Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components | Detailed | This attack pattern has been deprecated as it is a duplicate of CAPEC-457 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward. | 2014-06-23 02:00:00 |
Capec: CAPEC-455
|
2017-05-01 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| USB Memory Attacks | Detailed | An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks. | 2014-06-23 02:00:00 |
Capec: CAPEC-457
Cwe: CWE-1299 Attack: T1091 Attack: T1092 Reference_from_capec: REF-379 |
2023-01-24 01:00:00 | 2.1 |
Software Hardware |
Explore
Experiment
Exploit
|
Low |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Flash Memory Attacks | Detailed | An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device. | Such attacks are very difficult to detect because the malicious code resides outside the filesystem or RAM, and in the underlying byte-code that drives the processor. Many devices, such as the recent attacks against digital picture frames, contain only a microprocessor and a small amount of solid-state memory, rendering these devices ideal for "flash" based malware or malicious logic. One of the pernicious characteristics of flash memory based attacks is that the malicious code can survive even a total format of the hard-drive and reinstallation of the host operating system. Virtually any device which can be integrated into a computer system is susceptible to these attacks. Additionally, any peripheral device which interfaces with the computer bus could extract or sniff confidential data, even on systems employing full-disk encryption. Trojan code placed into a video card's chipset would continue to perform its function irrespective of the host operating system, and would be invisible to all known antivirus. The threats extend to consumer products such as camcorders, digital cameras, or any consumer electronic device with an embedded microcontroller. | 2014-06-23 02:00:00 |
Capec: CAPEC-458
Cwe: CWE-1282 Reference_from_capec: REF-379 Reference_from_capec: REF-394 |
2023-01-24 01:00:00 | 2.1 |
Software Hardware |
None | None | Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Creating a Rogue Certification Authority Certificate | Detailed | An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. | Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec). | 2014-06-23 02:00:00 |
Capec: CAPEC-459
Cwe: CWE-327 Cwe: CWE-295 Cwe: CWE-290 Reference_from_capec: REF-395 Reference_from_capec: REF-587 |
2022-09-29 02:00:00 | 2.1 |
Access Control:
|
Software |
|
Experiment
Exploit
|
Medium |
|
|
High: An attacker must be able to craft two X.509 certificates that produce the same hash value Medium: Knowledge needed to set up a certification authority | Draft | Very High | 3.9 | |||||||||||||||||||||||||||
| HTTP Parameter Pollution (HPP) | Detailed | An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules. | 2014-06-23 02:00:00 |
Capec: CAPEC-460
Cwe: CWE-88 Cwe: CWE-147 Cwe: CWE-235 Owasp Attacks: Web Parameter Tampering Reference_from_capec: REF-397 Reference_from_capec: REF-606 |
2022-02-22 01:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Cross-Domain Search Timing | Detailed | An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain. | For GET requests an attacker could for instance leverage the "img" tag in conjunction with "onload() / onerror()" javascript events. For the POST requests, an attacker could leverage the "iframe" element and leverage the "onload()" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information. | 2014-06-23 02:00:00 |
Capec: CAPEC-462
Cwe: CWE-385 Cwe: CWE-352 Cwe: CWE-208 Reference_from_capec: REF-399 |
2022-02-22 01:00:00 | 2.1 |
Confidentiality:
|
Software |
Explore
Experiment
Exploit
|
None |
|
|
Low: Some knowledge of Java Script | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Padding Oracle Crypto Attack | Detailed | An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. | Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the adversary. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the adversary whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the adversary to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an adversary is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. | 2014-06-23 02:00:00 |
Capec: CAPEC-463
Cwe: CWE-209 Cwe: CWE-514 Cwe: CWE-649 Cwe: CWE-347 Cwe: CWE-354 Cwe: CWE-696 Reference_from_capec: REF-400 |
2022-02-22 01:00:00 | 2.1 |
Communications |
|
None | None |
|
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Cross Site Identification | Detailed | An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing). | There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link. This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim. | 2014-06-23 02:00:00 |
Capec: CAPEC-467
Cwe: CWE-352 Cwe: CWE-359 Reference_from_capec: REF-404 |
2022-02-22 01:00:00 | 2.1 |
Software |
|
None | None |
|
High: An attacker should be able to create a payload and deliver it to the victim's browser. Medium: An attacker needs to know how to interact with various social networking sites (e.g., via available APIs) to request information and how to send the harvested data back to the attacker. | Draft | Low | 3.9 | |||||||||||||||||||||||||||||
| Expanding Control over the Operating System from the Database | Detailed | An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc. | 2014-06-23 02:00:00 |
Capec: CAPEC-470
Cwe: CWE-250 Cwe: CWE-89 Reference_from_capec: REF-408 |
2020-12-17 01:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
High: Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||||
| Search Order Hijacking | Detailed | An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded. | 2014-06-23 02:00:00 |
Capec: CAPEC-471
Cwe: CWE-427 Attack: T1574.001 Attack: T1574.004 Attack: T1574.008 Reference_from_capec: REF-409 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
Explore
Experiment
Exploit
|
None |
|
Medium: Ability to create a malicious library. | Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Browser Fingerprinting | Detailed | An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser. | 2014-06-23 02:00:00 |
Capec: CAPEC-472
Cwe: CWE-200 Reference_from_capec: REF-410 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
None | None |
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Signature Spoofing by Key Theft | Detailed | An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker. | 2014-06-23 02:00:00 |
Capec: CAPEC-474
Cwe: CWE-522 Attack: T1552.004 Reference_from_capec: REF-411 Reference_from_capec: REF-412 Reference_from_capec: REF-413 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | Medium |
|
Low: Knowledge of common location methods and access methods to sensitive data High: Ability to compromise systems containing sensitive data | Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Signature Spoofing by Improper Validation | Detailed | An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key. | Signature verification algorithms are generally used to determine whether a certificate or piece of code (e.g. executable, binary, etc.) possesses a valid signature and can be trusted. If the leveraged algorithm confirms that a valid signature exists, it establishes a foundation of trust that is further conveyed to the end-user when interacting with a website or application. However, if the signature verification algorithm improperly validates the signature, either by not validating the signature at all or by failing to fully validate the signature, it could result in an adversary generating a spoofed signature and being classified as a legitimate entity. Successfully exploiting such a weakness could further allow the adversary to reroute users to malicious sites, steals files, activates microphones, records keystrokes and passwords, wipes disks, installs malware, and more. | 2014-06-23 02:00:00 |
Capec: CAPEC-475
Cwe: CWE-347 Cwe: CWE-327 Cwe: CWE-295 Reference_from_capec: REF-562 Reference_from_capec: REF-563 Reference_from_capec: REF-564 |
2022-02-22 01:00:00 | 2.1 |
Software |
|
None | Low |
|
High: Reverse engineering and cryptanalysis of signature verification algorithm implementation | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Signature Spoofing by Misrepresentation | Detailed | An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions. | 2014-06-23 02:00:00 |
Capec: CAPEC-476
Cwe: CWE-290 Reference_from_capec: REF-414 |
2019-04-04 02:00:00 | 2.1 |
Software |
None | Low |
|
High: Attacker may be required to create malformed data blobs and know how to insert them in a location that the recipient will visit. | Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Signature Spoofing by Mixing Signed and Unsigned Content | Detailed | An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data. | 2014-06-23 02:00:00 |
Capec: CAPEC-477
Cwe: CWE-693 Cwe: CWE-311 Cwe: CWE-319 |
2014-06-23 02:00:00 | 2.1 |
Software |
None | Low |
|
High: Attacker must be able to create malformed data blobs and know how to insert them in a location that the recipient will visit. | Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Modification of Windows Service Configuration | Detailed | An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service. | 2018-04-25 02:00:00 |
Capec: CAPEC-478
Cwe: CWE-284 Attack: T1574.011 Attack: T1543.003 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Software |
Explore
Experiment
Exploit
|
Low |
|
|
Usable | High | 3.9 | ||||||||||||||||||||||||||||||
| Malicious Root Certificate | Detailed | An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. | 2018-04-26 02:00:00 |
Capec: CAPEC-479
Cwe: CWE-284 Attack: T1553.004 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | Low |
|
Stable | Low | 3.9 | ||||||||||||||||||||||||||||||||
| Signature Spoofing by Key Recreation | Detailed | An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker. | 2014-06-23 02:00:00 |
Capec: CAPEC-485
Cwe: CWE-330 Attack: T1552.004 Reference_from_capec: REF-419 Reference_from_capec: REF-420 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | Low |
|
High: Ability to create malformed data blobs and know how to present them directly or indirectly to a victim. | Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Quadratic Data Expansion | Detailed | An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources. | 2014-06-23 02:00:00 |
Capec: CAPEC-491
Cwe: CWE-770 |
2022-09-29 02:00:00 | 2.1 |
|
Availability:
|
Software |
|
Explore
Exploit
|
None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||
| Probe iOS Screenshots | Detailed | An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background. | These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface. This attack differs from CAPEC-648, which targets intentional screenshots initiated by an end-user that are stored in the device's storage. | 2014-06-23 02:00:00 |
Capec: CAPEC-498
Cwe: CWE-359 Reference_from_capec: REF-426 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| WebView Injection | Detailed | An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page. | 2014-06-23 02:00:00 |
Capec: CAPEC-500
Cwe: CWE-749 Cwe: CWE-940 Reference_from_capec: REF-430 |
2023-01-24 01:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Android Activity Hijack | Detailed | An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity. | 2014-06-23 02:00:00 |
Capec: CAPEC-501
Cwe: CWE-923 Reference_from_capec: REF-427 |
2021-10-21 02:00:00 | 2.1 |
Confidentiality:
|
Software Software |
Explore
Experiment
Exploit
|
None |
|
|
High: The adversary must typically overcome network and host defenses in order to place malware on the system. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Scheme Squatting | Detailed | An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application. | 2014-06-23 02:00:00 |
Capec: CAPEC-505
Reference_from_capec: REF-434 |
2022-09-29 02:00:00 | 2.1 |
Social Engineering |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Shoulder Surfing | Detailed | In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack. | 2020-07-30 02:00:00 |
Capec: CAPEC-508
Cwe: CWE-200 Cwe: CWE-359 |
2020-07-30 02:00:00 | 2.1 |
Confidentiality:
|
Physical Security |
|
None | High |
|
Low: In most cases, an adversary can simply observe and retain the desired information. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Kerberoasting | Detailed | Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials. | 2019-04-04 02:00:00 |
Capec: CAPEC-509
Cwe: CWE-522 Cwe: CWE-308 Cwe: CWE-309 Cwe: CWE-294 Cwe: CWE-263 Cwe: CWE-262 Cwe: CWE-521 Attack: T1558.003 Reference_from_capec: REF-559 Reference_from_capec: REF-585 Reference_from_capec: REF-586 |
2020-12-17 01:00:00 | 2.1 |
Confidentiality:
|
Software |
|
Explore
Experiment
Exploit
|
None |
|
Medium: | Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Infiltration of Software Development Environment | Detailed | An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain. | 2014-06-23 02:00:00 |
Capec: CAPEC-511
Attack: T1195.001 Reference_from_capec: REF-439 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain |
|
None | Low |
|
High: Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc) Medium: Intelligence about the manufacturer's operating environment and infrastructure. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Hardware Component Substitution During Baselining | Detailed | An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary. | 2014-06-23 02:00:00 |
Capec: CAPEC-516
Attack: T1195.003 Reference_from_capec: REF-439 Reference_from_capec: REF-712 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain Hardware |
|
None | Low |
|
High: Resources to physically infiltrate supplier. Medium: Intelligence data on victim's purchasing habits. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Documentation Alteration to Circumvent Dial-down | Detailed | An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted. | 2014-06-23 02:00:00 |
Capec: CAPEC-517
Reference_from_capec: REF-439 Reference_from_capec: REF-715 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain |
|
None | Low |
|
High: Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Documentation Alteration to Produce Under-performing Systems | Detailed | An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed. | 2014-06-23 02:00:00 |
Capec: CAPEC-518
Reference_from_capec: REF-439 Reference_from_capec: REF-715 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain |
|
None | Low |
|
High: Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Documentation Alteration to Cause Errors in System Design | Detailed | An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes. | 2014-06-23 02:00:00 |
Capec: CAPEC-519
Reference_from_capec: REF-439 Reference_from_capec: REF-715 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain |
|
None | Low |
|
High: Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Counterfeit Hardware Component Inserted During Product Assembly | Detailed | An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes. | 2014-06-23 02:00:00 |
Capec: CAPEC-520
Attack: T1195.003 Reference_from_capec: REF-439 Reference_from_capec: REF-712 Reference_from_capec: REF-713 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain |
|
None | Low |
|
High: Resources to physically infiltrate manufacturer or manufacturer's supplier. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Hardware Design Specifications Are Altered | Detailed | An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed. | 2014-06-23 02:00:00 |
Capec: CAPEC-521
Reference_from_capec: REF-439 Reference_from_capec: REF-715 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain Hardware |
|
None | Low |
|
High: Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Provide Counterfeit Component | Detailed | An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise. | 2014-06-23 02:00:00 |
Capec: CAPEC-530
Reference_from_capec: REF-439 Reference_from_capec: REF-698 Reference_from_capec: REF-703 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain Physical Security Hardware |
|
None | Low |
|
High: Able to develop and manufacture malicious system components that resemble legitimate name-brand components. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Hardware Component Substitution | Detailed | An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise. | 2014-06-23 02:00:00 |
Capec: CAPEC-531
Attack: T1195.003 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain Physical Security Hardware |
|
None | Low |
|
High: Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Altered Installed BIOS | Detailed | An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation. | 2014-06-23 02:00:00 |
Capec: CAPEC-532
Attack: T1495 Attack: T1542.001 Reference_from_capec: REF-439 Reference_from_capec: REF-716 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain Software |
|
None | Low |
|
High: Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption. | Stable | High | 3.9 | ||||||||||||||||||||||||||||||
| Malicious Manual Software Update | Detailed | An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface. | 2014-06-23 02:00:00 |
Capec: CAPEC-533
Cwe: CWE-494 Reference_from_capec: REF-710 |
2022-02-22 01:00:00 | 2.1 |
Social Engineering Supply Chain Software |
|
None | Low |
|
High: Able to develop malicious code that can be used on the victim's system while maintaining normal functionality. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Malicious Gray Market Hardware | Detailed | An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective. | 2014-06-23 02:00:00 |
Capec: CAPEC-535
Reference_from_capec: REF-439 |
2022-02-22 01:00:00 | 2.1 |
Supply Chain Physical Security Hardware |
|
None | Low |
|
High: Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Infiltration of Hardware Development Environment | Detailed | An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise. | 2014-06-23 02:00:00 |
Capec: CAPEC-537
Attack: T1195.003 Reference_from_capec: REF-439 Reference_from_capec: REF-712 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain Hardware |
|
None | Low |
|
High: Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc) Medium: Intelligence about the manufacturer's operating environment and infrastructure. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Open-Source Library Manipulation | Detailed | Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems. | 2014-06-23 02:00:00 |
Capec: CAPEC-538
Cwe: CWE-494 Cwe: CWE-829 Attack: T1195.001 Reference_from_capec: REF-439 |
2023-01-24 01:00:00 | 2.1 |
Software |
|
Explore
Experiment
Exploit
|
Low |
|
High: Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration. | Stable | High | 3.9 | ||||||||||||||||||||||||||||||
| ASIC With Malicious Functionality | Detailed | An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise. | 2014-06-23 02:00:00 |
Capec: CAPEC-539
Attack: T1195.003 Reference_from_capec: REF-439 |
2022-09-29 02:00:00 | 2.1 |
Supply Chain Hardware |
|
None | Low |
|
High: Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Counterfeit Websites | Detailed | Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware. | 2014-06-23 02:00:00 |
Capec: CAPEC-543
Attack: T1036.005 |
2022-09-29 02:00:00 | 2.1 |
Social Engineering |
None | None |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Counterfeit Organizations | Detailed | An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain. | 2014-06-23 02:00:00 |
Capec: CAPEC-544
|
2022-09-29 02:00:00 | 2.1 |
Social Engineering |
None | None |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Incomplete Data Deletion in a Multi-Tenant Environment | Detailed | An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there. | 2014-06-23 02:00:00 |
Capec: CAPEC-546
Cwe: CWE-284 Cwe: CWE-1266 Cwe: CWE-1272 Reference_from_capec: REF-461 |
2021-10-21 02:00:00 | 2.1 |
Confidentiality:
|
Software Hardware |
None | Low |
|
Low: The adversary requires the ability to traverse directory structure. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Install New Service | Detailed | When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges. | 2015-11-09 01:00:00 |
Capec: CAPEC-550
Cwe: CWE-284 Attack: T1543 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Modify Existing Service | Detailed | When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used. | 2015-11-09 01:00:00 |
Capec: CAPEC-551
Cwe: CWE-284 Cwe: CWE-522 Attack: T1543 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Install Rootkit | Detailed | An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components. | 2015-11-09 01:00:00 |
Capec: CAPEC-552
Cwe: CWE-284 Attack: T1014 Attack: T1542.003 Attack: T1547.006 |
2020-07-30 02:00:00 | 2.1 |
Software |
|
None | Medium | Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| Replace File Extension Handlers | Detailed | When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened. | 2015-11-09 01:00:00 |
Capec: CAPEC-556
Cwe: CWE-284 Attack: T1546.001 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| DEPRECATED: Schedule Software To Run | Detailed | This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack. | 2015-11-09 01:00:00 |
Capec: CAPEC-557
|
2020-07-30 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Replace Trusted Executable | Detailed | An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called. | 2015-11-09 01:00:00 |
Capec: CAPEC-558
Cwe: CWE-284 Attack: T1505.005 Attack: T1546.008 |
2022-09-29 02:00:00 | 2.1 |
Software |
|
None | Low | Stable | High | 3.9 | ||||||||||||||||||||||||||||||||
| Orbital Jamming | Detailed | In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission. Those within the satellite's footprint are prevented from reaching the satellite's targeted or neighboring channels. The satellite's footprint size depends upon its position in the sky; higher orbital satellites cover multiple continents. | 2017-01-12 01:00:00 |
Capec: CAPEC-559
Reference_from_capec: REF-462 |
2017-01-12 01:00:00 | 2.1 |
Availability:
|
Communications |
None | Low |
|
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Windows Admin Shares with Stolen Credentials | Detailed | An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. | Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels. | 2015-11-09 01:00:00 |
Capec: CAPEC-561
Cwe: CWE-522 Cwe: CWE-308 Cwe: CWE-309 Cwe: CWE-294 Cwe: CWE-263 Cwe: CWE-262 Cwe: CWE-521 Attack: T1021.002 Reference_from_capec: REF-577 Reference_from_capec: REF-578 Reference_from_capec: REF-579 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
None |
|
|
Low: Once an adversary obtains a known Windows credential, leveraging it is trivial. | Draft | None | 3.9 | |||||||||||||||||||||||||||
| Modify Shared File | Detailed | An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed. | 2015-11-09 01:00:00 |
Capec: CAPEC-562
Cwe: CWE-284 Attack: T1080 |
2019-04-04 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Add Malicious File to Shared Webroot | Detailed | An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured. | 2015-11-09 01:00:00 |
Capec: CAPEC-563
Cwe: CWE-284 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Run Software at Logon | Detailed | Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary. | 2015-11-09 01:00:00 |
Capec: CAPEC-564
Cwe: CWE-284 Attack: T1037 Attack: T1543.001 Attack: T1543.004 Attack: T1547 |
2022-09-29 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Password Spraying | Detailed | In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout. | Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern. Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets. | 2020-07-30 02:00:00 |
Capec: CAPEC-565
Cwe: CWE-521 Cwe: CWE-262 Cwe: CWE-263 Cwe: CWE-654 Cwe: CWE-307 Cwe: CWE-308 Cwe: CWE-309 Attack: T1110.003 Reference_from_capec: REF-565 Reference_from_capec: REF-566 Reference_from_capec: REF-567 |
2022-02-22 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Exploit
|
High |
|
|
Low: A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available. | Draft | High | 3.9 | |||||||||||||||||||||||||||
| DEPRECATED: Dump Password Hashes | Detailed | This CAPEC has been deprecated because of is not directly related to a weakness, social engineering, supply chains, or a physical-based attack. | 2015-11-09 01:00:00 |
Capec: CAPEC-566
|
2019-04-04 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Capture Credentials via Keylogger | Detailed | An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information. | 2015-11-09 01:00:00 |
Capec: CAPEC-568
Attack: T1056.001 |
2021-10-21 02:00:00 | 2.1 |
Software |
Explore
Experiment
Exploit
|
None |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||||
| DEPRECATED: Signature-Based Avoidance | Detailed | This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack. | 2015-11-09 01:00:00 |
Capec: CAPEC-570
|
2020-07-30 02:00:00 | 2.1 | None | None | Deprecated | None | 3.9 | ||||||||||||||||||||||||||||||||||
| Replace Winlogon Helper DLL | Detailed | Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup. | 2015-11-09 01:00:00 |
Capec: CAPEC-579
Cwe: CWE-15 Attack: T1547.004 |
2023-01-24 01:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Security Software Footprinting | Detailed | Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software. | 2015-11-09 01:00:00 |
Capec: CAPEC-581
Attack: T1518.001 |
2020-07-30 02:00:00 | 2.1 |
Software |
None | None | Draft | None | 3.9 | |||||||||||||||||||||||||||||||||
| Disabling Network Hardware | Detailed | In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks. | 2017-01-12 01:00:00 |
Capec: CAPEC-583
Reference_from_capec: REF-464 |
2019-09-30 02:00:00 | 2.1 |
Availability:
|
Hardware |
None | None |
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||||
| BGP Route Disabling | Detailed | An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP protocol helps traffic move throughout the Internet by selecting the most efficient route between Autonomous Systems (AS), or routing domains. BGP is the basis for interdomain routing infrastructure, providing connections between these ASs. By suppressing the intended AS routing advertisements and/or forcing less effective routes for traffic to ASs, the adversary can deny availability for the target network. | 2017-01-12 01:00:00 |
Capec: CAPEC-584
Reference_from_capec: REF-465 Reference_from_capec: REF-466 |
2020-12-17 01:00:00 | 2.1 |
Availability:
|
Communications Software |
|
None | None |
|
|
Draft | None | 3.9 | |||||||||||||||||||||||||||||
| DNS Domain Seizure | Detailed | In this attack pattern, an adversary influences a target's web-hosting company to disable a target domain. The goal is to prevent access to the targeted service provided by that domain. It usually occurs as the result of civil or criminal legal interventions. | 2017-01-12 01:00:00 |
Capec: CAPEC-585
Reference_from_capec: REF-467 |
2023-01-24 01:00:00 | 2.1 |
Availability:
|
Social Engineering |
|
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||
| Cross Frame Scripting (XFS) | Detailed | This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls. | 2017-02-01 01:00:00 |
Capec: CAPEC-587
Cwe: CWE-1021 Owasp Attacks: Cross Frame Scripting Reference_from_capec: REF-469 Reference_from_capec: REF-470 |
2023-01-24 01:00:00 | 2.1 |
Confidentiality:
|
Social Engineering Software |
|
None | None |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| DOM-Based XSS | Detailed | This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users. | 2017-04-15 02:00:00 |
Capec: CAPEC-588
Cwe: CWE-79 Cwe: CWE-20 Cwe: CWE-83 Owasp Attacks: Reflected DOM Injection Reference_from_capec: REF-471 Reference_from_capec: REF-472 Reference_from_capec: REF-618 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Requires the ability to write scripts of some complexity and to inject it through user controlled fields in the system. | Stable | Very High | 3.9 | ||||||||||||||||||||||||||||
| DNS Blocking | Detailed | An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed. | 2017-01-12 01:00:00 |
Capec: CAPEC-589
Cwe: CWE-300 Reference_from_capec: REF-473 |
2020-12-17 01:00:00 | 2.1 |
Availability:
|
Communications Software |
|
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||
| IP Address Blocking | Detailed | An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address. | 2017-01-12 01:00:00 |
Capec: CAPEC-590
Cwe: CWE-300 Reference_from_capec: REF-475 |
2019-04-04 02:00:00 | 2.1 |
Availability:
|
Communications Software |
|
None | Low |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Reflected XSS | Detailed | This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application. | The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a reposnse that is then sent back to the victim. To launch a successful Reflected XSS attack, an adversary looks for places where user-input is used directly in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines. | 2017-04-15 02:00:00 |
Capec: CAPEC-591
Cwe: CWE-79 Reference_from_capec: REF-476 Reference_from_capec: REF-604 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Requires the ability to write malicious scripts and embed them into HTTP requests. | Stable | Very High | 3.9 | |||||||||||||||||||||||||||
| Stored XSS | Detailed | An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input. | Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines. | 2017-04-15 02:00:00 |
Capec: CAPEC-592
Cwe: CWE-79 Reference_from_capec: REF-605 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
High |
|
|
Medium: Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application. | Stable | Very High | 3.9 | |||||||||||||||||||||||||||
| TCP RST Injection | Detailed | An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection. | 2017-01-03 01:00:00 |
Capec: CAPEC-596
Cwe: CWE-940 Reference_from_capec: REF-477 |
2019-04-04 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Draft | None | 3.9 | ||||||||||||||||||||||||||||||||
| Absolute Path Traversal | Detailed | An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access. | 2017-01-06 01:00:00 |
Capec: CAPEC-597
Cwe: CWE-36 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Software |
Explore
Experiment
Exploit
|
None |
|
|
Low: Simple command line attacks. Medium: Programming attacks. | Draft | None | 3.9 | |||||||||||||||||||||||||||||
| DNS Spoofing | Detailed | An adversary sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record) response to a target's route request before a legitimate resolver can. This technique requires an On-path or In-path device that can monitor and respond to the target's DNS requests. This attack differs from BGP Tampering in that it directly responds to requests made by the target instead of polluting the routing the target's infrastructure uses. | 2017-01-04 01:00:00 |
Capec: CAPEC-598
Reference_from_capec: REF-477 Reference_from_capec: REF-479 |
2023-01-24 01:00:00 | 2.1 |
Software |
|
None | None |
|
Low: To distribute email | Draft | None | 3.9 | ||||||||||||||||||||||||||||||
| Terrestrial Jamming | Detailed | In this attack pattern, the adversary transmits disruptive signals in the direction of the target's consumer-level satellite dish (as opposed to the satellite itself). The transmission disruption occurs in a more targeted range. Portable terrestrial jammers have a range of 3-5 kilometers in urban areas and 20 kilometers in rural areas. This technique requires a terrestrial jammer that is more powerful than the frequencies sent from the satellite. | 2017-01-12 01:00:00 |
Capec: CAPEC-599
Reference_from_capec: REF-462 |
2023-01-24 01:00:00 | 2.1 |
Availability:
|
Communications |
|
None | Low |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Wi-Fi Jamming | Detailed | In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targeted Wi-Fi network. There are several known techniques to perform this attack – for example: the attacker may flood the Wi-Fi access point (e.g. the retransmission device) with deauthentication frames. Another method is to transmit high levels of noise on the RF band used by the Wi-Fi network. | 2015-11-09 01:00:00 |
Capec: CAPEC-604
|
2018-07-31 02:00:00 | 2.1 |
Availability:
|
Communications |
None | Medium |
|
Low: This attack can be performed by low capability attackers with freely available tools. Commercial tools are also available that can target select networks or all WiFi networks within a range of several miles. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Cellular Jamming | Detailed | In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels. | 2015-11-09 01:00:00 |
Capec: CAPEC-605
|
2018-07-31 02:00:00 | 2.1 |
Availability:
|
Communications |
None | None |
|
Low: This attack can be performed by low capability attackers with commercially available tools. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Weakening of Cellular Encryption | Detailed | An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode). | 2015-11-09 01:00:00 |
Capec: CAPEC-606
Cwe: CWE-757 |
2018-07-31 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | None |
|
Medium: Adversaries can purchase and implement rogue BTS stations at a cost effective rate, and can push a mobile device to downgrade to a non-secure cellular protocol like 2G over GSM or CDMA. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Cryptanalysis of Cellular Encryption | Detailed | The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content. Some cellular encryption algorithms such as A5/1 and A5/2 (specified for GSM use) are known to be vulnerable to such attacks and commercial tools are available to execute these attacks and decrypt mobile phone conversations in real-time. Newer encryption algorithms in use by UMTS and LTE are stronger and currently believed to be less vulnerable to these types of attacks. Note, however, that an attacker with a Cellular Rogue Base Station can force the use of weak cellular encryption even by newer mobile devices. | 2015-11-09 01:00:00 |
Capec: CAPEC-608
Cwe: CWE-327 |
2020-07-30 02:00:00 | 2.1 |
Confidentiality:
|
Communications |
None | None |
|
Medium: Adversaries can rent commercial supercomputer time globally to conduct cryptanalysis on encrypted data captured from mobile devices. Foreign governments have their own cryptanalysis technology and capabilities. Commercial cellular standards for encryption (GSM and CDMA) are also subject to adversary cryptanalysis. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Cellular Traffic Intercept | Detailed | Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted. | 2015-11-09 01:00:00 |
Capec: CAPEC-609
Cwe: CWE-311 Attack: T1111 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications |
None | None |
|
Medium: Adversaries can purchase hardware and software solutions, or create their own solutions, to capture/intercept cellular radio traffic. The cost of a basic Base Transceiver Station (BTS) to broadcast to local mobile cellular radios in mobile devices has dropped to very affordable costs. The ability of commercial cellular providers to monitor for "rogue" BTS stations is poor in many areas and it is assumed that "rogue" BTS stations exist in urban areas. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| BitSquatting | Detailed | An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity. | 2015-11-09 01:00:00 |
Capec: CAPEC-611
Reference_from_capec: REF-485 |
2022-09-29 02:00:00 | 2.1 |
Other:
|
Social Engineering |
Explore
Experiment
Exploit
|
Low |
|
Low: Adversaries must be able to register DNS hostnames/URL’s. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||||
| WiFi MAC Address Tracking | Detailed | In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future. | 2015-11-09 01:00:00 |
Capec: CAPEC-612
Cwe: CWE-201 Cwe: CWE-300 |
2019-04-04 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Low: Open source and commercial software tools are available and several commercial advertising companies routinely set up tools to collect and monitor MAC addresses. | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| WiFi SSID Tracking | Detailed | In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future. | 2015-11-09 01:00:00 |
Capec: CAPEC-613
Cwe: CWE-201 Cwe: CWE-300 |
2019-09-30 02:00:00 | 2.1 |
Communications Software |
None | None |
|
Low: Open source and commercial software tools are available and open databases of known WiFi SSID addresses are available online. | Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Rooting SIM Cards | Detailed | SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC- enabled phones with mobile wallets. This attack leverages over-the-air (OTA) updates deployed via cryptographically-secured SMS messages to deliver executable code to the SIM. By cracking the DES key, an attacker can send properly signed binary SMS messages to a device, which are treated as Java applets and are executed on the SIM. These applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse. | 2015-11-09 01:00:00 |
Capec: CAPEC-614
Cwe: CWE-327 Reference_from_capec: REF-486 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
None | None |
|
Medium: This is a sophisticated attack, but detailed techniques are published in open literature. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Evil Twin Wi-Fi Attack | Detailed | Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data traffic is intercepted, captured, and analyzed. This also allows the adversary to use "adversary-in-the-middle" (CAPEC-94) for all communications. | 2015-11-09 01:00:00 |
Capec: CAPEC-615
Cwe: CWE-300 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications Software Hardware |
None | None |
|
Draft | Low | 3.9 | |||||||||||||||||||||||||||||||
| Cellular Rogue Base Station | Detailed | In this attack scenario, the attacker imitates a cellular base station with their own "rogue" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station. | 2015-11-09 01:00:00 |
Capec: CAPEC-617
|
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Communications Hardware |
None | None |
|
Low: This technique has been demonstrated by amateur hackers and commercial tools and open source projects are available to automate the attack. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Cellular Broadcast Message Request | Detailed | In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location. | 2015-11-09 01:00:00 |
Capec: CAPEC-618
Cwe: CWE-201 Reference_from_capec: REF-487 |
2018-07-31 02:00:00 | 2.1 |
Other:
|
Communications Software |
None | None |
|
Low: Open source and commercial tools are available for this attack. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Signal Strength Tracking | Detailed | In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking. | 2015-11-09 01:00:00 |
Capec: CAPEC-619
Cwe: CWE-201 |
2018-07-31 02:00:00 | 2.1 |
Communications Software |
None | None | Low: Commercial tools are available. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||||
| Analysis of Packet Timing and Sizes | Detailed | An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients). | 2015-11-09 01:00:00 |
Capec: CAPEC-621
Cwe: CWE-201 |
2018-07-31 02:00:00 | 2.1 |
Confidentiality:
|
Software Physical Security Hardware |
None | None |
|
High: These attacks generally require sophisticated machine learning techniques and require traffic capture as a prerequisite. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Electromagnetic Side-Channel Attack | Detailed | In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack. | 2015-11-09 01:00:00 |
Capec: CAPEC-622
Cwe: CWE-201 |
2018-07-31 02:00:00 | 2.1 |
Confidentiality:
|
Software Physical Security Hardware |
None | None |
|
Medium: Sophisticated attack, but detailed techniques published in the open literature. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Compromising Emanations Attack | Detailed | Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing. | 2015-11-09 01:00:00 |
Capec: CAPEC-623
Cwe: CWE-201 |
2018-07-31 02:00:00 | 2.1 |
Confidentiality:
|
Software Physical Security Hardware |
None | None |
|
High: Sophisticated attack. | Draft | Low | 3.9 | ||||||||||||||||||||||||||||||
| Smudge Attack | Detailed | Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers. | 2015-11-09 01:00:00 |
Capec: CAPEC-626
|
2019-09-30 02:00:00 | 2.1 |
Access Control:
|
Physical Security |
None | None |
|
Medium: The attacker must know how to make use of these smudges. | Draft | None | 3.9 | ||||||||||||||||||||||||||||||
| Carry-Off GPS Attack | Detailed | A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genuine signals observed by the target receiver. The power of the counterfeit signals is then gradually increased and drawn away from the genuine signals. Over time, the adversary can carry the target away from their intended destination and toward a location chosen by the adversary. | 2015-11-09 01:00:00 |
Capec: CAPEC-628
Reference_from_capec: REF-489 |
2019-04-04 02:00:00 | 2.1 |
Communications |
|
None | Low |
|
High: This attack requires advanced knoweldge in GPS technology. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| TypoSquatting | Detailed | An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering. | 2015-11-09 01:00:00 |
Capec: CAPEC-630
Reference_from_capec: REF-491 |
2022-09-29 02:00:00 | 2.1 |
Other:
|
Social Engineering |
|
Explore
Experiment
Exploit
|
Low |
|
Low: Adversaries must be able to register DNS hostnames/URL’s. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| SoundSquatting | Detailed | An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantage of a user's confusion of the two words to direct Internet traffic to adversary- controlled destinations. SoundSquatting does not require an attack against the trusted domain or complicated reverse engineering. | 2015-11-09 01:00:00 |
Capec: CAPEC-631
Reference_from_capec: REF-491 |
2022-09-29 02:00:00 | 2.1 |
|
Other:
|
Social Engineering |
|
Explore
Experiment
Exploit
|
Low |
|
Low: Adversaries must be able to register DNS hostnames/URL’s. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Homograph Attack via Homoglyphs | Detailed | An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations. | 2015-11-09 01:00:00 |
Capec: CAPEC-632
Cwe: CWE-1007 |
2023-01-24 01:00:00 | 2.1 |
|
Other:
|
Social Engineering |
|
Explore
Experiment
Exploit
|
Low |
|
Low: Adversaries must be able to register DNS hostnames/URL’s. | Draft | Medium | 3.9 | ||||||||||||||||||||||||||||
| Token Impersonation | Detailed | An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary. | 2018-04-12 02:00:00 |
Capec: CAPEC-633
Cwe: CWE-287 Cwe: CWE-1270 Attack: T1134 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software Hardware |
None | None |
|
Stable | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Probe Audio and Video Peripherals | Detailed | The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system. | 2018-07-31 02:00:00 |
Capec: CAPEC-634
Cwe: CWE-267 Attack: T1123 Attack: T1125 Reference_from_capec: REF-653 Reference_from_capec: REF-654 |
2021-06-24 02:00:00 | 2.1 |
Confidentiality:
|
Communications Software Software |
|
None | Low |
|
High: To deploy a hidden process or malware on the system to automatically collect audio and video data. | Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Collect Data from Clipboard | Detailed | The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized. | 2018-07-31 02:00:00 |
Capec: CAPEC-637
Cwe: CWE-267 Attack: T1115 |
2021-10-21 02:00:00 | 2.1 |
Confidentiality:
|
Software |
Explore
Experiment
Exploit
|
Low |
|
High: To deploy a hidden process or malware on the system to automatically collect clipboard data. | Stable | Low | 3.9 | ||||||||||||||||||||||||||||||
| Altered Component Firmware | Detailed | An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased. | 2018-07-31 02:00:00 |
Capec: CAPEC-638
Attack: T1542.002 Reference_from_capec: REF-664 Reference_from_capec: REF-665 Reference_from_capec: REF-666 |
2021-06-24 02:00:00 | 2.1 |
Authorization:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
Low |
|
|
Low: Ability to leverage known malware tools to infect target system and insert firmware altering malware/payload High: Ability to intercept components in transit. Medium: Ability to create malicious payload to be executed from MBR. | Stable | Very High | 3.9 | ||||||||||||||||||||||||||||
| Probe System Files | Detailed | An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information. | 2018-05-04 02:00:00 |
Capec: CAPEC-639
Cwe: CWE-552 Attack: T1039 Attack: T1552.001 Attack: T1552.003 Attack: T1552.004 Attack: T1552.006 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software |
|
None | None |
|
Stable | Medium | 3.9 | ||||||||||||||||||||||||||||||
| Inclusion of Code in Existing Process | Detailed | The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more. | 2018-07-31 02:00:00 |
Capec: CAPEC-640
Cwe: CWE-114 Cwe: CWE-829 Attack: T1505.005 Attack: T1574.006 Attack: T1574.013 Attack: T1620 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Software |
Explore
Experiment
Exploit
|
Low |
|
High: Knowledge of how to load malicious code into the memory space of a running process, as well as the ability to have the running process execute this code. For example, with DLL injection, the adversary must know how to load a DLL into the memory space of another running process, and cause this process to execute the code inside of the DLL. | Stable | High | 3.9 | ||||||||||||||||||||||||||||||
| DLL Side-Loading | Detailed | An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading. | 2018-07-31 02:00:00 |
Capec: CAPEC-641
Cwe: CWE-706 Attack: T1574.002 Reference_from_capec: REF-501 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Software |
None | Low |
|
High: Trick the operating system in loading a malicious DLL instead of a legitimate DLL. | Stable | High | 3.9 | ||||||||||||||||||||||||||||||
| Replace Binaries | Detailed | Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed. | 2018-05-31 02:00:00 |
Capec: CAPEC-642
Cwe: CWE-732 Attack: T1505.005 Attack: T1554 Attack: T1574.005 Owasp Attacks: Binary planting |
2022-09-29 02:00:00 | 2.1 |
Software |
|
None | None |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Identify Shared Files/Directories on System | Detailed | An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network. | 2018-07-31 02:00:00 |
Capec: CAPEC-643
Cwe: CWE-267 Cwe: CWE-200 Attack: T1135 |
2021-06-24 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | Medium |
|
|
Low: Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line. The adversary, or their malware, can simply employ a set of commands that search for shared drives on the system (e.g., net view \\remote system or net share). | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Use of Captured Hashes (Pass The Hash) | Detailed | An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. | When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain. | 2018-07-31 02:00:00 |
Capec: CAPEC-644
Cwe: CWE-522 Cwe: CWE-836 Cwe: CWE-308 Cwe: CWE-294 Cwe: CWE-308 Attack: T1550.002 Reference_from_capec: REF-575 Reference_from_capec: REF-580 Reference_from_capec: REF-581 Reference_from_capec: REF-582 Reference_from_capec: REF-583 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
Low: Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Use of Captured Tickets (Pass The Ticket) | Detailed | An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain. | 2018-07-31 02:00:00 |
Capec: CAPEC-645
Cwe: CWE-522 Cwe: CWE-294 Cwe: CWE-308 Attack: T1550.003 Reference_from_capec: REF-584 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Software |
|
None | Low |
|
Low: Determine if Kerberos authentication is used on the server. High: The adversary uses a third-party tool to obtain the necessary tickets to execute the attack. | Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Collect Data from Registries | Detailed | An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks. | 2018-05-15 02:00:00 |
Capec: CAPEC-647
Cwe: CWE-285 Attack: T1005 Attack: T1012 Attack: T1552.002 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software |
Explore
Experiment
Exploit
|
Medium |
|
|
Low: Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Collect Data from Screen Capture | Detailed | An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks. | 2018-07-31 02:00:00 |
Capec: CAPEC-648
Cwe: CWE-267 Attack: T1113 Attack: T1513 |
2022-09-29 02:00:00 | 2.1 |
Confidentiality:
|
Software |
None | Medium |
|
|
Low: Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only to leverage the relevant command for screen capture. | Draft | Medium | 3.9 | |||||||||||||||||||||||||||||
| Adding a Space to a File Extension | Detailed | An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution. | 2018-05-31 02:00:00 |
Capec: CAPEC-649
Cwe: CWE-46 Attack: T1036.006 |
2020-07-30 02:00:00 | 2.1 |
Integrity:
|
Software |
None | Low |
|
Draft | Medium | 3.9 | |||||||||||||||||||||||||||||||
| Upload a Web Shell to a Web Server | Detailed | By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels. | 2018-05-31 02:00:00 |
Capec: CAPEC-650
Cwe: CWE-287 Cwe: CWE-553 Attack: T1505.003 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
None | None |
|
Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Credential Prompt Impersonation | Detailed | An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials. | The adversary may monitor the task list maintained by the operating system and wait for a specific legitimate credential prompt to become active. Once the prompt is detected, the adversary launches a new credential prompt in the foreground that mimics the user interface of the legitimate credential prompt. At this point, the user thinks that they are interacting with the legitimate credential prompt, but instead they are interacting with the malicious credential prompt. A second approach involves the adversary impersonating an unexpected credential prompt, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process or commonly used application (e.g., email reader) requires authentication for some purpose. The user, believing they are interacting with a legitimate credential prompt, enters their credentials which the adversary then leverages for nefarious purposes. The ultimate goal of this attack is to obtain sensitive information (e.g., credentials) from the user. | 2020-07-30 02:00:00 |
Capec: CAPEC-654
Cwe: CWE-1021 Attack: T1056 Attack: T1548.004 |
2022-09-29 02:00:00 | 2.1 |
Access Control:
|
Software |
|
Explore
Exploit
|
Medium |
|
|
Low: Once an adversary has gained access to the target system, impersonating a credential prompt is not difficult. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Avoid Security Tool Identification by Adding Data | Detailed | An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions. In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash. | 2020-07-30 02:00:00 |
Capec: CAPEC-655
Attack: T1027.001 |
2021-06-24 02:00:00 | 2.1 |
Integrity:
|
Software |
|
None | High | Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Voice Phishing | Detailed | An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a voice call, rather than email. The user is enticed to provide sensitive information by the adversary, who masquerades as a legitimate employee of the alleged organization. Voice Phishing attacks deviate from standard Phishing attacks, in that a user doesn't typically interact with a compromised website to provide sensitive information and instead provides this information verbally. Voice Phishing attacks can also be initiated by either the adversary in the form of a "cold call" or by the victim if calling an illegitimate telephone number. | 2020-12-17 01:00:00 |
Capec: CAPEC-656
Reference_from_capec: REF-592 Reference_from_capec: REF-594 Reference_from_capec: REF-595 |
2020-12-17 01:00:00 | 2.1 |
|
Integrity:
|
Social Engineering |
|
Explore
Exploit
|
High |
|
|
Medium: Basic knowledge about websites: obtaining them, designing and implementing them, etc. | Stable | High | 3.9 | |||||||||||||||||||||||||||
| Malicious Automated Software Update via Spoofing | Detailed | An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker. | 2020-12-17 01:00:00 |
Capec: CAPEC-657
Cwe: CWE-494 Attack: T1072 |
2022-09-29 02:00:00 | 2.1 |
Availability:
|
Supply Chain Software |
|
None | High | Draft | High | 3.9 | |||||||||||||||||||||||||||||||
| Root/Jailbreak Detection Evasion via Hooking | Detailed | An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more. | 2020-12-17 01:00:00 |
Capec: CAPEC-660
Cwe: CWE-829 Attack: T1055 Reference_from_capec: REF-624 Reference_from_capec: REF-625 Reference_from_capec: REF-626 Reference_from_capec: REF-627 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
|
High: Knowledge about Root/Jailbreak detection and evasion techniques. Medium: Knowledge about code hooking. | Stable | Very High | 3.9 | ||||||||||||||||||||||||||||
| Root/Jailbreak Detection Evasion via Debugging | Detailed | An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more. | 2020-12-17 01:00:00 |
Capec: CAPEC-661
Cwe: CWE-489 Reference_from_capec: REF-625 Reference_from_capec: REF-626 Reference_from_capec: REF-627 Reference_from_capec: REF-628 |
2020-12-17 01:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
Medium |
|
|
High: Knowledge about Root/Jailbreak detection and evasion techniques. Medium: Knowledge about runtime debugging. | Stable | Very High | 3.9 | ||||||||||||||||||||||||||||
| Exploitation of Thunderbolt Protection Flaws | Detailed | An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow. | 2021-06-24 02:00:00 |
Capec: CAPEC-665
Cwe: CWE-345 Cwe: CWE-353 Cwe: CWE-288 Cwe: CWE-1188 Cwe: CWE-862 Attack: T1211 Attack: T1542.002 Attack: T1556 Reference_from_capec: REF-647 Reference_from_capec: REF-648 Reference_from_capec: REF-649 Reference_from_capec: REF-650 Reference_from_capec: REF-651 Reference_from_capec: REF-652 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Communications Software |
|
Explore
Experiment
Exploit
|
Low |
|
|
High: Detailed knowledge on scripting and SPI programming in order to configure and modify Thunderbolt controller firmware and software configurations. | Stable | Very High | 3.9 | ||||||||||||||||||||||||||||
| Bluetooth Impersonation AttackS (BIAS) | Detailed | An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities. | 2021-06-24 02:00:00 |
Capec: CAPEC-667
Cwe: CWE-290 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering |
Explore
Experiment
Exploit
|
Medium |
|
Low: Adversaries must be in close proximity to Bluetooth devices. | Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Software Development Tools Maliciously Altered | Detailed | An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises. | 2021-06-24 02:00:00 |
Capec: CAPEC-670
Attack: T1127 Attack: T1195.001 Reference_from_capec: REF-660 Reference_from_capec: REF-439 Reference_from_capec: REF-667 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Software |
|
None | Low |
|
High: Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Requirements for ASIC Functionality Maliciously Altered | Detailed | An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC. | 2021-06-24 02:00:00 |
Capec: CAPEC-671
Attack: T1195.003 Reference_from_capec: REF-439 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Hardware |
|
None | Low |
|
High: An adversary would need experience in designing chips based on functional requirements in order to manipulate requirements in such a way that deviations would not be detected in subsequent stages of ASIC manufacture and where intended malicious functionality would be available to the adversary once integrated into a system and fielded. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Malicious Code Implanted During Chip Programming | Detailed | During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts. | 2021-06-24 02:00:00 |
Capec: CAPEC-672
Attack: T1195.003 Reference_from_capec: REF-662 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Software Hardware |
|
None | Low |
|
Medium: An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Developer Signing Maliciously Altered Software | Detailed | Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems. This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications. | 2021-06-24 02:00:00 |
Capec: CAPEC-673
Attack: T1195.002 Reference_from_capec: REF-658 Reference_from_capec: REF-659 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Software |
|
None | Medium |
|
High: The adversary must have the skills to infiltrate a developer’s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process. | Draft | High | 3.9 | |||||||||||||||||||||||||||||
| Design for FPGA Maliciously Altered | Detailed | An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation. | 2021-06-24 02:00:00 |
Capec: CAPEC-674
Attack: T1195.003 Reference_from_capec: REF-660 Reference_from_capec: REF-439 Reference_from_capec: REF-662 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Supply Chain Hardware |
|
None | Low |
|
High: An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced. | Stable | High | 3.9 | |||||||||||||||||||||||||||||
| Server Motherboard Compromise | Detailed | Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update. | 2021-10-21 02:00:00 |
Capec: CAPEC-677
Attack: T1195.003 Reference_from_capec: REF-439 Reference_from_capec: REF-660 Reference_from_capec: REF-685 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Supply Chain Physical Security Hardware |
|
None | Low |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| System Build Data Maliciously Altered | Detailed | During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system. | 2021-10-21 02:00:00 |
Capec: CAPEC-678
Attack: T1195.002 Reference_from_capec: REF-439 Reference_from_capec: REF-660 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Supply Chain Software Hardware |
|
None | Low |
|
Draft | High | 3.9 | ||||||||||||||||||||||||||||||
| Exploitation of Improperly Configured or Implemented Memory Protections | Detailed | An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory. | Hardware product designs often need to implement memory protection features to prevent users from reading and modifying memory reserved for security operations such as secure booting, authenticating code, device attestation, and more. However, these protection features may be missing if not configured by developers. For example, this can occur if the developers assume these features are configured elsewhere. Additionally, developers often attempt to impose proper protection features, but may incorrectly configure these controls. One such example would be setting controls with insufficient granularity for protected address regions. If an adversary is able to discover improper access controls surrounding memory, it could result in the adversary obtaining sensitive data, executing code, circumventing security mechanisms, escalating privileges, or even denying service to higher privilege software. | 2021-10-21 02:00:00 |
Capec: CAPEC-679
Cwe: CWE-1222 Cwe: CWE-1252 Cwe: CWE-1257 Cwe: CWE-1260 Cwe: CWE-1274 Cwe: CWE-1282 Cwe: CWE-1312 Cwe: CWE-1316 Cwe: CWE-1326 Reference_from_capec: REF-687 Reference_from_capec: REF-668 Reference_from_capec: REF-689 Reference_from_capec: REF-690 Reference_from_capec: REF-691 Reference_from_capec: REF-692 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Hardware Hardware |
|
None | Medium |
|
High: Intricate knowledge of memory structures. Medium: Ability to craft malicious code to inject into the memory region. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Exploitation of Improperly Controlled Registers | Detailed | An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user. | Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified. | 2021-10-21 02:00:00 |
Capec: CAPEC-680
Cwe: CWE-1224 Cwe: CWE-1231 Cwe: CWE-1233 Cwe: CWE-1262 Cwe: CWE-1283 Reference_from_capec: REF-693 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Hardware Hardware |
|
None | Medium |
|
High: Intricate knowledge of registers. | Draft | High | 3.9 | ||||||||||||||||||||||||||||
| Exploitation of Improperly Controlled Hardware Security Identifiers | Detailed | An adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System- on-Chip (SoC), to read/write data or execute a given action. | A System-on-Chip (SoC) often implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, these mechanisms may be exploitable due to any number of the following: The security identifiers are missing The security identifiers are incorrectly implemented or generated The security identifiers are generated with an obsolete encoding The security identifiers are generated and implemented correctly, but are improperly protected If the security identifiers leveraged by the SoC are missing or misconfigured, an adversary may be able to take advantage of this shortcoming to circumvent the intended access controls. This could result in the adversary gaining unintended access, performing a Denial of Service (DoS), escalating privileges, or spoofing actions from a trusted agent. | 2021-10-21 02:00:00 |
Capec: CAPEC-681
Cwe: CWE-1259 Cwe: CWE-1267 Cwe: CWE-1270 Cwe: CWE-1294 Cwe: CWE-1302 Reference_from_capec: REF-694 Reference_from_capec: REF-695 |
2021-10-21 02:00:00 | 2.1 |
Integrity:
|
Hardware Hardware |
|
None | Medium |
|
High: Intricate knowledge of the identifiers being utilized. Medium: Ability to execute actions within the SoC. | Draft | Very High | 3.9 | ||||||||||||||||||||||||||||
| Spoof Version Control System Commit Metadata | Detailed | An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source. | Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following: Owner of the repository Author(s) of commits Frequency of commits Date/Time of commits Repository activity graphs These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity. | 2022-09-29 02:00:00 |
Capec: CAPEC-692
Cwe: CWE-494 Reference_from_capec: REF-719 Reference_from_capec: REF-720 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Supply Chain Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Medium: Ability to spoof a variety of repository metadata to convince victims the source is trusted. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| StarJacking | Detailed | An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source. | Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of "Stars" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment. | 2022-09-29 02:00:00 |
Capec: CAPEC-693
Cwe: CWE-494 Reference_from_capec: REF-721 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Social Engineering Supply Chain Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Low: Ability to provide a package to a package manager and associate a popular package's source code repository URL. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| Repo Jacking | Detailed | An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications. | Software developers may directly reference a VCS repository (i.e., via a hardcoded URL) within source code to integrate the repository as a dependency for the underlying application. If the repository owner/maintainer modifies the repository name, changes their VCS username, or transfers ownership of the repository, the VCS implements a redirect to the new repository location so that existing software referencing the repository will not break. However, if the original location of the repository is reestablished, the VCS will revert to resolving the hardcoded path. Adversaries may, therefore, re-register deleted or previously used usernames and recreate repositories with malicious code to infect applications referencing the repository. When an application then fetches the desired dependency, it will now reference the adversary's malicious repository since the hardcoded repository path is once again active. This ultimately allows the adversary to infect numerous applications, while achieving a variety of negative technical impacts. | 2022-09-29 02:00:00 |
Capec: CAPEC-695
Cwe: CWE-494 Cwe: CWE-829 Attack: T1195.001 Reference_from_capec: REF-722 Reference_from_capec: REF-732 Reference_from_capec: REF-733 Reference_from_capec: REF-734 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Social Engineering Supply Chain Communications Software Hardware |
|
Explore
Experiment
Exploit
|
Medium |
|
Low: Ability to create malware that can exploit various software applications. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| Load Value Injection | Detailed | An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow. | This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious. | 2022-09-29 02:00:00 |
Capec: CAPEC-696
Cwe: CWE-1342 Reference_from_capec: REF-735 Reference_from_capec: REF-736 |
2022-09-29 02:00:00 | 2.1 |
Authorization:
|
Software Hardware Software |
Explore
Experiment
Exploit
|
Low |
|
High: The ability to provoke faulting or assisted loads in legitimate execution. | Draft | Very High | 3.9 | |||||||||||||||||||||||||||||
| Install Malicious Extension | Detailed | An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts. | Many software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more. | 2022-09-29 02:00:00 |
Capec: CAPEC-698
Cwe: CWE-507 Cwe: CWE-829 Attack: T1176 Attack: T1505.004 Reference_from_capec: REF-740 Reference_from_capec: REF-741 |
2022-09-29 02:00:00 | 2.1 |
Integrity:
|
Software |
|
Explore
Experiment
Exploit
|
Medium |
|
Medium: Optional: Ability to exploit target system(s) via other means in order to gain entry. | Stable | High | 3.9 | ||||||||||||||||||||||||||||
| Exploiting Incorrect Chaining or Granularity of Hardware Debug Components | Detailed | An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality. | Chip designers often include design elements in a chip for debugging and troubleshooting such as: Various Test Access Ports (TAPs) which allow boundary scan commands to be executed. Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip. Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs. Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces. | 2023-01-24 01:00:00 |
Capec: CAPEC-702
Cwe: CWE-1296 Reference_from_capec: REF-748 Reference_from_capec: REF-749 Reference_from_capec: REF-750 |
2023-01-24 01:00:00 | 2.1 |
Integrity:
|
Software Hardware |
|
Explore
Experiment
Exploit
|
Low |
|
|
Medium: Ability to operate devices to scan and connect to an exposed debug interface | Draft | Medium | 3.9 | |||||||||||||||||||||||||||
| Capec ID | Name | Abstraction | Description | Extended Description | Created | External References | Modified | Spec Version | Alternate Terms | Consequences | Domains | Example Instances | Execution Flow | Likelihood Of Attack | Peer Of Refs | Prerequisites | Resources Required | Skills Required | Status | Typical Severity | Version | Capec Children ID | Capec Parents ID |
![](asfunction:getURL,javascript:gotRoot("")//.jpg)