-
Notifications
You must be signed in to change notification settings - Fork 4
/
ap_dict.json
8230 lines (8230 loc) · 525 KB
/
ap_dict.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"capec/capec_00581": {
"mitigations": [
"capec_mitigation/capec_mitigation_00000"
],
"techniques": [],
"name": "Accessing Functionality Not Properly Constrained by ACLs",
"cwes": [
"cwe/cwe_01259",
"cwe/cwe_01337",
"cwe/cwe_01353",
"cwe/cwe_01349",
"cwe/cwe_01907",
"cwe/cwe_01358",
"cwe/cwe_01665",
"cwe/cwe_01252",
"cwe/cwe_01356",
"cwe/cwe_01923",
"cwe/cwe_01352",
"cwe/cwe_01359",
"cwe/cwe_01511",
"cwe/cwe_01365",
"cwe/cwe_01521"
],
"detections": [],
"short description": "In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.",
"description": ""
},
"capec/capec_00582": {
"mitigations": [
"capec_mitigation/capec_mitigation_00002",
"capec_mitigation/capec_mitigation_00001"
],
"techniques": [],
"name": "Inducing Account Lockout",
"cwes": [
"cwe/cwe_01862"
],
"detections": [],
"short description": "An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.",
"description": ""
},
"capec/capec_00583": {
"mitigations": [
"capec_mitigation/capec_mitigation_00003",
"capec_mitigation/capec_mitigation_00004",
"capec_mitigation/capec_mitigation_00005"
],
"techniques": [],
"name": "Using Leading 'Ghost' Character Sequences to Bypass Input Filters",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01424",
"cwe/cwe_01423",
"cwe/cwe_01441",
"cwe/cwe_01415",
"cwe/cwe_01643",
"cwe/cwe_01427",
"cwe/cwe_01416",
"cwe/cwe_01422",
"cwe/cwe_01426",
"cwe/cwe_01918"
],
"detections": [],
"short description": "Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading \"ghost\" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.",
"description": ""
},
"capec/capec_00584": {
"mitigations": [
"capec_mitigation/capec_mitigation_00007",
"capec_mitigation/capec_mitigation_00006",
"capec_mitigation/capec_mitigation_00008"
],
"techniques": [],
"name": "Using Alternative IP Address Encodings",
"cwes": [
"cwe/cwe_01416",
"cwe/cwe_01528"
],
"detections": [],
"short description": "This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.",
"description": ""
},
"capec/capec_00585": {
"mitigations": [
"capec_mitigation/capec_mitigation_00009",
"capec_mitigation/capec_mitigation_00010"
],
"techniques": [],
"name": "Blue Boxing",
"cwes": [
"cwe/cwe_01521"
],
"detections": [],
"short description": "This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.",
"description": ""
},
"capec/capec_00586": {
"mitigations": [
"capec_mitigation/capec_mitigation_00011",
"capec_mitigation/capec_mitigation_00012",
"capec_mitigation/capec_mitigation_00013"
],
"techniques": [],
"name": "Argument Injection",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01390",
"cwe/cwe_01427",
"cwe/cwe_01955",
"cwe/cwe_01428"
],
"detections": [],
"short description": "An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.",
"description": ""
},
"capec/capec_00587": {
"mitigations": [
"capec_mitigation/capec_mitigation_00015",
"capec_mitigation/capec_mitigation_00014"
],
"techniques": [],
"name": "Blind SQL Injection",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01441",
"cwe/cwe_01918",
"cwe/cwe_02016",
"cwe/cwe_01451"
],
"detections": [
"capec_detection/capec_detection_00016"
],
"short description": "Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.",
"description": ""
},
"capec/capec_00588": {
"mitigations": [
"capec_mitigation/capec_mitigation_00019",
"capec_mitigation/capec_mitigation_00018",
"capec_mitigation/capec_mitigation_00020",
"capec_mitigation/capec_mitigation_00017",
"capec_mitigation/capec_mitigation_00021"
],
"techniques": [],
"name": "Buffer Overflow in an API Call",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01248",
"cwe/cwe_01441",
"cwe/cwe_01893",
"cwe/cwe_01924",
"cwe/cwe_01245",
"cwe/cwe_01254"
],
"detections": [],
"short description": "This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.",
"description": ""
},
"capec/capec_00589": {
"mitigations": [
"capec_mitigation/capec_mitigation_00022",
"capec_mitigation/capec_mitigation_00025",
"capec_mitigation/capec_mitigation_00028",
"capec_mitigation/capec_mitigation_00027",
"capec_mitigation/capec_mitigation_00024",
"capec_mitigation/capec_mitigation_00023",
"capec_mitigation/capec_mitigation_00026"
],
"techniques": [],
"name": "Buffer Overflow in Local Command-Line Utilities",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01248",
"cwe/cwe_01441",
"cwe/cwe_01893",
"cwe/cwe_01924",
"cwe/cwe_01245",
"cwe/cwe_01254"
],
"detections": [],
"short description": "This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.",
"description": ""
},
"capec/capec_00590": {
"mitigations": [
"capec_mitigation/capec_mitigation_00031",
"capec_mitigation/capec_mitigation_00029",
"capec_mitigation/capec_mitigation_00032",
"capec_mitigation/capec_mitigation_00030"
],
"techniques": [],
"name": "Buffer Overflow via Environment Variables",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01248",
"cwe/cwe_01925",
"cwe/cwe_01441",
"cwe/cwe_01893",
"cwe/cwe_01924",
"cwe/cwe_01245",
"cwe/cwe_01254",
"cwe/cwe_01539",
"cwe/cwe_02050"
],
"detections": [
"capec_detection/capec_detection_00033"
],
"short description": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.",
"description": "Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer."
},
"capec/capec_00591": {
"mitigations": [
"capec_mitigation/capec_mitigation_00034"
],
"techniques": [],
"name": "Cause Web Server Misclassification",
"cwes": [
"cwe/cwe_01661"
],
"detections": [],
"short description": "An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.",
"description": ""
},
"capec/capec_00592": {
"mitigations": [
"capec_mitigation/capec_mitigation_00035",
"capec_mitigation/capec_mitigation_00036"
],
"techniques": [],
"name": "Choosing Message Identifier",
"cwes": [
"cwe/cwe_01443",
"cwe/cwe_01543"
],
"detections": [],
"short description": "This pattern of attack is defined by the selection of messages distributed over via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.",
"description": ""
},
"capec/capec_00593": {
"mitigations": [
"capec_mitigation/capec_mitigation_00037",
"capec_mitigation/capec_mitigation_00038",
"capec_mitigation/capec_mitigation_00040",
"capec_mitigation/capec_mitigation_00039"
],
"techniques": [
"technique/technique_00416",
"technique/technique_00465",
"technique/technique_00466"
],
"name": "Subverting Environment Variable Values",
"cwes": [
"cwe/cwe_01925",
"cwe/cwe_01441",
"cwe/cwe_01922",
"cwe/cwe_01593",
"cwe/cwe_01442",
"cwe/cwe_01539",
"cwe/cwe_01394",
"cwe/cwe_01521"
],
"detections": [],
"short description": "The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.",
"description": ""
},
"capec/capec_00594": {
"mitigations": [
"capec_mitigation/capec_mitigation_00048",
"capec_mitigation/capec_mitigation_00043",
"capec_mitigation/capec_mitigation_00041",
"capec_mitigation/capec_mitigation_00046",
"capec_mitigation/capec_mitigation_00042",
"capec_mitigation/capec_mitigation_00047",
"capec_mitigation/capec_mitigation_00045",
"capec_mitigation/capec_mitigation_00044"
],
"techniques": [],
"name": "Client-side Injection-induced Buffer Overflow",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01248",
"cwe/cwe_01441",
"cwe/cwe_01893",
"cwe/cwe_01245",
"cwe/cwe_01593",
"cwe/cwe_01254"
],
"detections": [
"capec_detection/capec_detection_00049"
],
"short description": "This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.",
"description": ""
},
"capec/capec_00595": {
"mitigations": [
"capec_mitigation/capec_mitigation_00051",
"capec_mitigation/capec_mitigation_00053",
"capec_mitigation/capec_mitigation_00052",
"capec_mitigation/capec_mitigation_00050"
],
"techniques": [],
"name": "Command Delimiters",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01390",
"cwe/cwe_01384",
"cwe/cwe_01427",
"cwe/cwe_01382",
"cwe/cwe_01944",
"cwe/cwe_01955",
"cwe/cwe_02039",
"cwe/cwe_01402",
"cwe/cwe_01428",
"cwe/cwe_01399"
],
"detections": [],
"short description": "An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.",
"description": ""
},
"capec/capec_00596": {
"mitigations": [
"capec_mitigation/capec_mitigation_00055",
"capec_mitigation/capec_mitigation_00056",
"capec_mitigation/capec_mitigation_00054"
],
"techniques": [],
"name": "Dictionary-based Password Attack",
"cwes": [
"cwe/cwe_01545",
"cwe/cwe_01872",
"cwe/cwe_01500",
"cwe/cwe_01499",
"cwe/cwe_01744",
"cwe/cwe_01544",
"cwe/cwe_01546"
],
"detections": [
"capec_detection/capec_detection_00057"
],
"short description": "\n ",
"description": ""
},
"capec/capec_00597": {
"mitigations": [
"capec_mitigation/capec_mitigation_00060",
"capec_mitigation/capec_mitigation_00058",
"capec_mitigation/capec_mitigation_00059"
],
"techniques": [
"technique/technique_00469"
],
"name": "Using Malicious Files",
"cwes": [
"cwe/cwe_01812",
"cwe/cwe_01506",
"cwe/cwe_01907",
"cwe/cwe_01508",
"cwe/cwe_01518",
"cwe/cwe_01923",
"cwe/cwe_01521"
],
"detections": [],
"short description": "An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.",
"description": ""
},
"capec/capec_00598": {
"mitigations": [
"capec_mitigation/capec_mitigation_00062",
"capec_mitigation/capec_mitigation_00061"
],
"techniques": [],
"name": "XSS Targeting Non-Script Elements",
"cwes": [
"cwe/cwe_01978"
],
"detections": [],
"short description": "This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.",
"description": ""
},
"capec/capec_00599": {
"mitigations": [
"capec_mitigation/capec_mitigation_00071",
"capec_mitigation/capec_mitigation_00069",
"capec_mitigation/capec_mitigation_00064",
"capec_mitigation/capec_mitigation_00070",
"capec_mitigation/capec_mitigation_00072",
"capec_mitigation/capec_mitigation_00068",
"capec_mitigation/capec_mitigation_00066",
"capec_mitigation/capec_mitigation_00065",
"capec_mitigation/capec_mitigation_00067",
"capec_mitigation/capec_mitigation_00063"
],
"techniques": [],
"name": "Embedding Scripts within Scripts",
"cwes": [
"cwe/cwe_01520"
],
"detections": [],
"short description": "An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The adversary leverages this capability to execute their own script by embedding it within other scripts that the target software is likely to execute. The adversary must have the ability to inject their script into a script that is likely to be executed. If this is done, then the adversary can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. These attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well.",
"description": ""
},
"capec/capec_00600": {
"mitigations": [
"capec_mitigation/capec_mitigation_00073",
"capec_mitigation/capec_mitigation_00074"
],
"techniques": [],
"name": "Encryption Brute Forcing",
"cwes": [
"cwe/cwe_01255",
"cwe/cwe_01563",
"cwe/cwe_01907",
"cwe/cwe_01564"
],
"detections": [
"capec_detection/capec_detection_00075"
],
"short description": "An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.",
"description": ""
},
"capec/capec_00601": {
"mitigations": [
"capec_mitigation/capec_mitigation_00082",
"capec_mitigation/capec_mitigation_00078",
"capec_mitigation/capec_mitigation_00076",
"capec_mitigation/capec_mitigation_00081",
"capec_mitigation/capec_mitigation_00080",
"capec_mitigation/capec_mitigation_00079",
"capec_mitigation/capec_mitigation_00077"
],
"techniques": [],
"name": "Exploitation of Trusted Identifiers",
"cwes": [
"cwe/cwe_01824",
"cwe/cwe_01620",
"cwe/cwe_01859",
"cwe/cwe_01585",
"cwe/cwe_01527",
"cwe/cwe_01821",
"cwe/cwe_01761",
"cwe/cwe_01539",
"cwe/cwe_01879"
],
"detections": [],
"short description": "\n ",
"description": ""
},
"capec/capec_00602": {
"mitigations": [
"capec_mitigation/capec_mitigation_00083",
"capec_mitigation/capec_mitigation_00084",
"capec_mitigation/capec_mitigation_00087",
"capec_mitigation/capec_mitigation_00086",
"capec_mitigation/capec_mitigation_00085"
],
"techniques": [],
"name": "Exploiting Trust in Client",
"cwes": [
"cwe/cwe_01523",
"cwe/cwe_01441",
"cwe/cwe_01442",
"cwe/cwe_01907",
"cwe/cwe_01527"
],
"detections": [],
"short description": "An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.",
"description": ""
},
"capec/capec_00603": {
"mitigations": [
"capec_mitigation/capec_mitigation_00090",
"capec_mitigation/capec_mitigation_00092",
"capec_mitigation/capec_mitigation_00093",
"capec_mitigation/capec_mitigation_00089",
"capec_mitigation/capec_mitigation_00088",
"capec_mitigation/capec_mitigation_00091"
],
"techniques": [],
"name": "File Content Injection",
"cwes": [
"cwe/cwe_01441"
],
"detections": [],
"short description": "An attack of this type exploits the host's trust in executing remote content, including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the adversary and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.",
"description": ""
},
"capec/capec_00604": {
"mitigations": [
"capec_mitigation/capec_mitigation_00094",
"capec_mitigation/capec_mitigation_00095",
"capec_mitigation/capec_mitigation_00097",
"capec_mitigation/capec_mitigation_00096",
"capec_mitigation/capec_mitigation_00098"
],
"techniques": [],
"name": "Filter Failure through Buffer Overflow",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01248",
"cwe/cwe_01441",
"cwe/cwe_01893",
"cwe/cwe_01924",
"cwe/cwe_01245",
"cwe/cwe_01254"
],
"detections": [
"capec_detection/capec_detection_00099"
],
"short description": "In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).",
"description": ""
},
"capec/capec_00605": {
"mitigations": [
"capec_mitigation/capec_mitigation_00100",
"capec_mitigation/capec_mitigation_00101"
],
"techniques": [],
"name": "Forced Deadlock",
"cwes": [
"cwe/cwe_01645",
"cwe/cwe_01360",
"cwe/cwe_01788",
"cwe/cwe_01999",
"cwe/cwe_01882",
"cwe/cwe_01877"
],
"detections": [],
"short description": "The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.",
"description": ""
},
"capec/capec_00606": {
"mitigations": [
"capec_mitigation/capec_mitigation_00103",
"capec_mitigation/capec_mitigation_00102",
"capec_mitigation/capec_mitigation_00106",
"capec_mitigation/capec_mitigation_00105",
"capec_mitigation/capec_mitigation_00104"
],
"techniques": [],
"name": "Leveraging Race Conditions",
"cwes": [
"cwe/cwe_01610",
"cwe/cwe_01601",
"cwe/cwe_01262",
"cwe/cwe_01902",
"cwe/cwe_01338",
"cwe/cwe_01602",
"cwe/cwe_01605",
"cwe/cwe_01880",
"cwe/cwe_01882",
"cwe/cwe_01607",
"cwe/cwe_01877",
"cwe/cwe_01290"
],
"detections": [],
"short description": "The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by \"running the race\", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.",
"description": ""
},
"capec/capec_00607": {
"mitigations": [
"capec_mitigation/capec_mitigation_00110",
"capec_mitigation/capec_mitigation_00107",
"capec_mitigation/capec_mitigation_00109",
"capec_mitigation/capec_mitigation_00108"
],
"techniques": [],
"name": "Leveraging Race Conditions via Symbolic Links",
"cwes": [
"cwe/cwe_01831",
"cwe/cwe_01902",
"cwe/cwe_01882",
"cwe/cwe_01606",
"cwe/cwe_01877"
],
"detections": [],
"short description": "This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.",
"description": ""
},
"capec/capec_00608": {
"mitigations": [
"capec_mitigation/capec_mitigation_00112",
"capec_mitigation/capec_mitigation_00111"
],
"techniques": [],
"name": "Fuzzing",
"cwes": [
"cwe/cwe_01925",
"cwe/cwe_01441"
],
"detections": [
"capec_detection/capec_detection_00113"
],
"short description": "In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionality testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. Fuzzing can help an attacker discover certain assumptions made about user input in the system. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions despite not necessarily knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve their goals.",
"description": ""
},
"capec/capec_00609": {
"mitigations": [
"capec_mitigation/capec_mitigation_00116",
"capec_mitigation/capec_mitigation_00115",
"capec_mitigation/capec_mitigation_00118",
"capec_mitigation/capec_mitigation_00117",
"capec_mitigation/capec_mitigation_00114"
],
"techniques": [],
"name": "Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions",
"cwes": [
"cwe/cwe_01878",
"cwe/cwe_01610",
"cwe/cwe_01601",
"cwe/cwe_01605",
"cwe/cwe_01880",
"cwe/cwe_01607",
"cwe/cwe_01606",
"cwe/cwe_01877",
"cwe/cwe_01905"
],
"detections": [],
"short description": "This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by \"running the race\", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.",
"description": ""
},
"capec/capec_00610": {
"mitigations": [
"capec_mitigation/capec_mitigation_00119",
"capec_mitigation/capec_mitigation_00120"
],
"techniques": [],
"name": "Hijacking a Privileged Thread of Execution",
"cwes": [
"cwe/cwe_01506"
],
"detections": [],
"short description": "An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.",
"description": ""
},
"capec/capec_00611": {
"mitigations": [
"capec_mitigation/capec_mitigation_00124",
"capec_mitigation/capec_mitigation_00121",
"capec_mitigation/capec_mitigation_00122",
"capec_mitigation/capec_mitigation_00123"
],
"techniques": [],
"name": "Accessing/Intercepting/Modifying HTTP Cookies",
"cwes": [
"cwe/cwe_01786",
"cwe/cwe_01548",
"cwe/cwe_01824",
"cwe/cwe_01441",
"cwe/cwe_01620",
"cwe/cwe_01699",
"cwe/cwe_01859",
"cwe/cwe_01552",
"cwe/cwe_01761",
"cwe/cwe_01235",
"cwe/cwe_01539"
],
"detections": [],
"short description": "This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.",
"description": ""
},
"capec/capec_00612": {
"mitigations": [
"capec_mitigation/capec_mitigation_00127",
"capec_mitigation/capec_mitigation_00132",
"capec_mitigation/capec_mitigation_00126",
"capec_mitigation/capec_mitigation_00133",
"capec_mitigation/capec_mitigation_00125",
"capec_mitigation/capec_mitigation_00129",
"capec_mitigation/capec_mitigation_00128",
"capec_mitigation/capec_mitigation_00130",
"capec_mitigation/capec_mitigation_00131",
"capec_mitigation/capec_mitigation_00134"
],
"techniques": [],
"name": "XSS Through HTTP Query Strings",
"cwes": [
"cwe/cwe_01978"
],
"detections": [],
"short description": "An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.",
"description": ""
},
"capec/capec_00613": {
"mitigations": [
"capec_mitigation/capec_mitigation_00146",
"capec_mitigation/capec_mitigation_00145",
"capec_mitigation/capec_mitigation_00143",
"capec_mitigation/capec_mitigation_00147",
"capec_mitigation/capec_mitigation_00142",
"capec_mitigation/capec_mitigation_00137",
"capec_mitigation/capec_mitigation_00135",
"capec_mitigation/capec_mitigation_00141",
"capec_mitigation/capec_mitigation_00139",
"capec_mitigation/capec_mitigation_00144",
"capec_mitigation/capec_mitigation_00136",
"capec_mitigation/capec_mitigation_00140",
"capec_mitigation/capec_mitigation_00138"
],
"techniques": [],
"name": "HTTP Request Smuggling",
"cwes": [
"cwe/cwe_01673"
],
"detections": [
"capec_detection/capec_detection_00148"
],
"short description": "\n ",
"description": "\n "
},
"capec/capec_00614": {
"mitigations": [
"capec_mitigation/capec_mitigation_00153",
"capec_mitigation/capec_mitigation_00151",
"capec_mitigation/capec_mitigation_00158",
"capec_mitigation/capec_mitigation_00157",
"capec_mitigation/capec_mitigation_00152",
"capec_mitigation/capec_mitigation_00155",
"capec_mitigation/capec_mitigation_00150",
"capec_mitigation/capec_mitigation_00154",
"capec_mitigation/capec_mitigation_00156",
"capec_mitigation/capec_mitigation_00149"
],
"techniques": [],
"name": "HTTP Response Splitting",
"cwes": [
"cwe/cwe_01235",
"cwe/cwe_01925",
"cwe/cwe_01667",
"cwe/cwe_01382"
],
"detections": [
"capec_detection/capec_detection_00159"
],
"short description": "\n ",
"description": "\n "
},
"capec/capec_00615": {
"mitigations": [
"capec_mitigation/capec_mitigation_00162",
"capec_mitigation/capec_mitigation_00164",
"capec_mitigation/capec_mitigation_00160",
"capec_mitigation/capec_mitigation_00161",
"capec_mitigation/capec_mitigation_00163"
],
"techniques": [],
"name": "Leverage Executable Code in Non-Executable Files",
"cwes": [
"cwe/cwe_01812",
"cwe/cwe_02048",
"cwe/cwe_01506",
"cwe/cwe_01518",
"cwe/cwe_02047",
"cwe/cwe_02046",
"cwe/cwe_02041",
"cwe/cwe_01508"
],
"detections": [],
"short description": "An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.",
"description": ""
},
"capec/capec_00616": {
"mitigations": [
"capec_mitigation/capec_mitigation_00165"
],
"techniques": [],
"name": "Using Unpublished Interfaces",
"cwes": [
"cwe/cwe_01277",
"cwe/cwe_01909",
"cwe/cwe_01907",
"cwe/cwe_01543"
],
"detections": [],
"short description": "An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.",
"description": ""
},
"capec/capec_00617": {
"mitigations": [],
"techniques": [],
"name": "Retrieve Embedded Sensitive Data",
"cwes": [
"cwe/cwe_01303",
"cwe/cwe_01548",
"cwe/cwe_01748",
"cwe/cwe_01316",
"cwe/cwe_01273",
"cwe/cwe_01552",
"cwe/cwe_01368",
"cwe/cwe_01551",
"cwe/cwe_01465",
"cwe/cwe_01549",
"cwe/cwe_01294",
"cwe/cwe_01310",
"cwe/cwe_01343",
"cwe/cwe_01555"
],
"detections": [],
"short description": "An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.",
"description": ""
},
"capec/capec_00618": {
"mitigations": [
"capec_mitigation/capec_mitigation_00166",
"capec_mitigation/capec_mitigation_00168",
"capec_mitigation/capec_mitigation_00167"
],
"techniques": [
"technique/technique_00468",
"technique/technique_00466"
],
"name": "Leveraging/Manipulating Configuration File Search Paths",
"cwes": [
"cwe/cwe_01658",
"cwe/cwe_01657"
],
"detections": [],
"short description": "This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.",
"description": ""
},
"capec/capec_00619": {
"mitigations": [
"capec_mitigation/capec_mitigation_00169",
"capec_mitigation/capec_mitigation_00171",
"capec_mitigation/capec_mitigation_00172",
"capec_mitigation/capec_mitigation_00170"
],
"techniques": [],
"name": "Manipulating Opaque Client-based Data Tokens",
"cwes": [
"cwe/cwe_01786",
"cwe/cwe_01472",
"cwe/cwe_01620",
"cwe/cwe_01593",
"cwe/cwe_01552",
"cwe/cwe_01761",
"cwe/cwe_01699",
"cwe/cwe_01539",
"cwe/cwe_01521"
],
"detections": [],
"short description": "In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.",
"description": ""
},
"capec/capec_00620": {
"mitigations": [
"capec_mitigation/capec_mitigation_00173",
"capec_mitigation/capec_mitigation_00174"
],
"techniques": [],
"name": "Manipulating Writeable Terminal Devices",
"cwes": [
"cwe/cwe_01944"
],
"detections": [],
"short description": "This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.",
"description": ""
},
"capec/capec_00621": {
"mitigations": [
"capec_mitigation/capec_mitigation_00175",
"capec_mitigation/capec_mitigation_00177",
"capec_mitigation/capec_mitigation_00176"
],
"techniques": [],
"name": "Using Meta-characters in E-mail Headers to Inject Malicious Payloads",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01395",
"cwe/cwe_02015"
],
"detections": [],
"short description": "This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.",
"description": ""
},
"capec/capec_00622": {
"mitigations": [
"capec_mitigation/capec_mitigation_00179",
"capec_mitigation/capec_mitigation_00181",
"capec_mitigation/capec_mitigation_00178",
"capec_mitigation/capec_mitigation_00180"
],
"techniques": [],
"name": "MIME Conversion",
"cwes": [
"cwe/cwe_01248",
"cwe/cwe_01925",
"cwe/cwe_01254",
"cwe/cwe_01441"
],
"detections": [],
"short description": "An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.",
"description": ""
},
"capec/capec_00623": {
"mitigations": [
"capec_mitigation/capec_mitigation_00184",
"capec_mitigation/capec_mitigation_00183",
"capec_mitigation/capec_mitigation_00182"
],
"techniques": [],
"name": "Exploiting Multiple Input Interpretation Layers",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01424",
"cwe/cwe_01441",
"cwe/cwe_01427",
"cwe/cwe_01944",
"cwe/cwe_01955",
"cwe/cwe_01422",
"cwe/cwe_01426",
"cwe/cwe_01918"
],
"detections": [
"capec_detection/capec_detection_00185"
],
"short description": "An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a \"layer\" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.",
"description": ""
},
"capec/capec_00624": {
"mitigations": [
"capec_mitigation/capec_mitigation_00188",
"capec_mitigation/capec_mitigation_00189",
"capec_mitigation/capec_mitigation_00186",
"capec_mitigation/capec_mitigation_00190",
"capec_mitigation/capec_mitigation_00187"
],
"techniques": [],
"name": "Overflow Binary Resource File",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01248",
"cwe/cwe_01254"
],
"detections": [],
"short description": "An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process.",
"description": "This attack pattern is a variant of standard buffer overflow attack using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The adversary is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application for the victim to download. The adversary then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow."
},
"capec/capec_00625": {
"mitigations": [
"capec_mitigation/capec_mitigation_00191",
"capec_mitigation/capec_mitigation_00198",
"capec_mitigation/capec_mitigation_00194",
"capec_mitigation/capec_mitigation_00197",
"capec_mitigation/capec_mitigation_00195",
"capec_mitigation/capec_mitigation_00193",
"capec_mitigation/capec_mitigation_00192",
"capec_mitigation/capec_mitigation_00196"
],
"techniques": [],
"name": "Buffer Overflow via Symbolic Links",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01248",
"cwe/cwe_01925",
"cwe/cwe_01441",
"cwe/cwe_01893",
"cwe/cwe_01245",
"cwe/cwe_01254",
"cwe/cwe_01539",
"cwe/cwe_01521"
],
"detections": [
"capec_detection/capec_detection_00199",
"capec_detection/capec_detection_00200"
],
"short description": "This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.",
"description": ""
},
"capec/capec_00626": {
"mitigations": [
"capec_mitigation/capec_mitigation_00203",
"capec_mitigation/capec_mitigation_00201",
"capec_mitigation/capec_mitigation_00202",
"capec_mitigation/capec_mitigation_00205",
"capec_mitigation/capec_mitigation_00204"
],
"techniques": [],
"name": "Overflow Variables and Tags",
"cwes": [
"cwe/cwe_01911",
"cwe/cwe_01925",
"cwe/cwe_01248",
"cwe/cwe_01441",
"cwe/cwe_01893",
"cwe/cwe_01924",
"cwe/cwe_01245",
"cwe/cwe_01254"
],
"detections": [],
"short description": "This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.",
"description": ""