capec_temp.json

[{"_key":"capec_00581","_id":"capec/capec_00581","_rev":"_dVyyXDa---","original_id":"1","datatype":"capec","name":"Accessing Functionality Not Properly Constrained by ACLs","metadata":{"description":"","short_description":"In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to."}},{"_key":"capec_00582","_id":"capec/capec_00582","_rev":"_dVyyXDa--_","original_id":"2","datatype":"capec","name":"Inducing Account Lockout","metadata":{"description":"","short_description":"An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks."}},{"_key":"capec_00583","_id":"capec/capec_00583","_rev":"_dVyyXDa--A","original_id":"3","datatype":"capec","name":"Using Leading 'Ghost' Character Sequences to Bypass Input Filters","metadata":{"description":"","short_description":"Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading \"ghost\" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API."}},{"_key":"capec_00584","_id":"capec/capec_00584","_rev":"_dVyyXDa--B","original_id":"4","datatype":"capec","name":"Using Alternative IP Address Encodings","metadata":{"description":"","short_description":"This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control."}},{"_key":"capec_00585","_id":"capec/capec_00585","_rev":"_dVyyXDa--C","original_id":"5","datatype":"capec","name":"Blue Boxing","metadata":{"description":"","short_description":"This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions."}},{"_key":"capec_00586","_id":"capec/capec_00586","_rev":"_dVyyXDa--D","original_id":"6","datatype":"capec","name":"Argument Injection","metadata":{"description":"","short_description":"An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods."}},{"_key":"capec_00587","_id":"capec/capec_00587","_rev":"_dVyyXDa--E","original_id":"7","datatype":"capec","name":"Blind SQL Injection","metadata":{"description":"","short_description":"Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection."}},{"_key":"capec_00588","_id":"capec/capec_00588","_rev":"_dVyyXDa--F","original_id":"8","datatype":"capec","name":"Buffer Overflow in an API Call","metadata":{"description":"","short_description":"This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process."}},{"_key":"capec_00589","_id":"capec/capec_00589","_rev":"_dVyyXDa--G","original_id":"9","datatype":"capec","name":"Buffer Overflow in Local Command-Line Utilities","metadata":{"description":"","short_description":"This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root."}},{"_key":"capec_00590","_id":"capec/capec_00590","_rev":"_dVyyXDa--H","original_id":"10","datatype":"capec","name":"Buffer Overflow via Environment Variables","metadata":{"description":"Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer.","short_description":"This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables."}},{"_key":"capec_00591","_id":"capec/capec_00591","_rev":"_dVyyXDa--I","original_id":"11","datatype":"capec","name":"Cause Web Server Misclassification","metadata":{"description":"","short_description":"An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents."}},{"_key":"capec_00592","_id":"capec/capec_00592","_rev":"_dVyyXDa--J","original_id":"12","datatype":"capec","name":"Choosing Message Identifier","metadata":{"description":"","short_description":"This pattern of attack is defined by the selection of messages distributed over via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one."}},{"_key":"capec_00593","_id":"capec/capec_00593","_rev":"_dVyyXDa--K","original_id":"13","datatype":"capec","name":"Subverting Environment Variable Values","metadata":{"description":"","short_description":"The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker."}},{"_key":"capec_00594","_id":"capec/capec_00594","_rev":"_dVyyXDa--L","original_id":"14","datatype":"capec","name":"Client-side Injection-induced Buffer Overflow","metadata":{"description":"","short_description":"This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads."}},{"_key":"capec_00595","_id":"capec/capec_00595","_rev":"_dVyyXDa--M","original_id":"15","datatype":"capec","name":"Command Delimiters","metadata":{"description":"","short_description":"An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on."}},{"_key":"capec_00596","_id":"capec/capec_00596","_rev":"_dVyyXDa--N","original_id":"16","datatype":"capec","name":"Dictionary-based Password Attack","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_00597","_id":"capec/capec_00597","_rev":"_dVyyXDa--O","original_id":"17","datatype":"capec","name":"Using Malicious Files","metadata":{"description":"","short_description":"An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface."}},{"_key":"capec_00598","_id":"capec/capec_00598","_rev":"_dVyyXDa--P","original_id":"18","datatype":"capec","name":"XSS Targeting Non-Script Elements","metadata":{"description":"","short_description":"This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack."}},{"_key":"capec_00599","_id":"capec/capec_00599","_rev":"_dVyyXDa--Q","original_id":"19","datatype":"capec","name":"Embedding Scripts within Scripts","metadata":{"description":"","short_description":"An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The adversary leverages this capability to execute their own script by embedding it within other scripts that the target software is likely to execute. The adversary must have the ability to inject their script into a script that is likely to be executed. If this is done, then the adversary can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. These attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well."}},{"_key":"capec_00600","_id":"capec/capec_00600","_rev":"_dVyyXDa--R","original_id":"20","datatype":"capec","name":"Encryption Brute Forcing","metadata":{"description":"","short_description":"An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext."}},{"_key":"capec_00601","_id":"capec/capec_00601","_rev":"_dVyyXDa--S","original_id":"21","datatype":"capec","name":"Exploitation of Trusted Identifiers","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_00602","_id":"capec/capec_00602","_rev":"_dVyyXDa--T","original_id":"22","datatype":"capec","name":"Exploiting Trust in Client","metadata":{"description":"","short_description":"An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack."}},{"_key":"capec_00603","_id":"capec/capec_00603","_rev":"_dVyyXDa--U","original_id":"23","datatype":"capec","name":"File Content Injection","metadata":{"description":"","short_description":"An attack of this type exploits the host's trust in executing remote content, including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the adversary and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus."}},{"_key":"capec_00604","_id":"capec/capec_00604","_rev":"_dVyyXDa--V","original_id":"24","datatype":"capec","name":"Filter Failure through Buffer Overflow","metadata":{"description":"","short_description":"In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered)."}},{"_key":"capec_00605","_id":"capec/capec_00605","_rev":"_dVyyXDa--W","original_id":"25","datatype":"capec","name":"Forced Deadlock","metadata":{"description":"","short_description":"The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect."}},{"_key":"capec_00606","_id":"capec/capec_00606","_rev":"_dVyyXDa--X","original_id":"26","datatype":"capec","name":"Leveraging Race Conditions","metadata":{"description":"","short_description":"The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by \"running the race\", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file."}},{"_key":"capec_00607","_id":"capec/capec_00607","_rev":"_dVyyXDa--Y","original_id":"27","datatype":"capec","name":"Leveraging Race Conditions via Symbolic Links","metadata":{"description":"","short_description":"This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file."}},{"_key":"capec_00608","_id":"capec/capec_00608","_rev":"_dVyyXDa--Z","original_id":"28","datatype":"capec","name":"Fuzzing","metadata":{"description":"","short_description":"In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionality testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. Fuzzing can help an attacker discover certain assumptions made about user input in the system. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions despite not necessarily knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve their goals."}},{"_key":"capec_00609","_id":"capec/capec_00609","_rev":"_dVyyXDa--a","original_id":"29","datatype":"capec","name":"Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions","metadata":{"description":"","short_description":"This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by \"running the race\", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly."}},{"_key":"capec_00610","_id":"capec/capec_00610","_rev":"_dVyyXDa--b","original_id":"30","datatype":"capec","name":"Hijacking a Privileged Thread of Execution","metadata":{"description":"","short_description":"An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory."}},{"_key":"capec_00611","_id":"capec/capec_00611","_rev":"_dVyyXDa--c","original_id":"31","datatype":"capec","name":"Accessing/Intercepting/Modifying HTTP Cookies","metadata":{"description":"","short_description":"This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information."}},{"_key":"capec_00612","_id":"capec/capec_00612","_rev":"_dVyyXDa--d","original_id":"32","datatype":"capec","name":"XSS Through HTTP Query Strings","metadata":{"description":"","short_description":"An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser."}},{"_key":"capec_00613","_id":"capec/capec_00613","_rev":"_dVyyXDa--e","original_id":"33","datatype":"capec","name":"HTTP Request Smuggling","metadata":{"description":"\n            ","short_description":"\n            "}},{"_key":"capec_00614","_id":"capec/capec_00614","_rev":"_dVyyXDa--f","original_id":"34","datatype":"capec","name":"HTTP Response Splitting","metadata":{"description":"\n            ","short_description":"\n            "}},{"_key":"capec_00615","_id":"capec/capec_00615","_rev":"_dVyyXDa--g","original_id":"35","datatype":"capec","name":"Leverage Executable Code in Non-Executable Files","metadata":{"description":"","short_description":"An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high."}},{"_key":"capec_00616","_id":"capec/capec_00616","_rev":"_dVyyXDa--h","original_id":"36","datatype":"capec","name":"Using Unpublished Interfaces","metadata":{"description":"","short_description":"An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for."}},{"_key":"capec_00617","_id":"capec/capec_00617","_rev":"_dVyyXDa--i","original_id":"37","datatype":"capec","name":"Retrieve Embedded Sensitive Data","metadata":{"description":"","short_description":"An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack."}},{"_key":"capec_00618","_id":"capec/capec_00618","_rev":"_dVyyXDa--j","original_id":"38","datatype":"capec","name":"Leveraging/Manipulating Configuration File Search Paths","metadata":{"description":"","short_description":"This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker."}},{"_key":"capec_00619","_id":"capec/capec_00619","_rev":"_dVyyXDa--k","original_id":"39","datatype":"capec","name":"Manipulating Opaque Client-based Data Tokens","metadata":{"description":"","short_description":"In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation."}},{"_key":"capec_00620","_id":"capec/capec_00620","_rev":"_dVyyXDa--l","original_id":"40","datatype":"capec","name":"Manipulating Writeable Terminal Devices","metadata":{"description":"","short_description":"This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded."}},{"_key":"capec_00621","_id":"capec/capec_00621","_rev":"_dVyyXDa--m","original_id":"41","datatype":"capec","name":"Using Meta-characters in E-mail Headers to Inject Malicious Payloads","metadata":{"description":"","short_description":"This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system."}},{"_key":"capec_00622","_id":"capec/capec_00622","_rev":"_dVyyXDa--n","original_id":"42","datatype":"capec","name":"MIME Conversion","metadata":{"description":"","short_description":"An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back."}},{"_key":"capec_00623","_id":"capec/capec_00623","_rev":"_dVyyXDa--o","original_id":"43","datatype":"capec","name":"Exploiting Multiple Input Interpretation Layers","metadata":{"description":"","short_description":"An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a \"layer\" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop."}},{"_key":"capec_00624","_id":"capec/capec_00624","_rev":"_dVyyXDa--p","original_id":"44","datatype":"capec","name":"Overflow Binary Resource File","metadata":{"description":"This attack pattern is a variant of standard buffer overflow attack using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The adversary is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application for the victim to download. The adversary then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.","short_description":"An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process."}},{"_key":"capec_00625","_id":"capec/capec_00625","_rev":"_dVyyXDa--q","original_id":"45","datatype":"capec","name":"Buffer Overflow via Symbolic Links","metadata":{"description":"","short_description":"This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking."}},{"_key":"capec_00626","_id":"capec/capec_00626","_rev":"_dVyyXDa--r","original_id":"46","datatype":"capec","name":"Overflow Variables and Tags","metadata":{"description":"","short_description":"This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow."}},{"_key":"capec_00627","_id":"capec/capec_00627","_rev":"_dVyyXDa--s","original_id":"47","datatype":"capec","name":"Buffer Overflow via Parameter Expansion","metadata":{"description":"","short_description":"In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow."}},{"_key":"capec_00628","_id":"capec/capec_00628","_rev":"_dVyyXDa--t","original_id":"48","datatype":"capec","name":"Passing Local Filenames to Functions That Expect a URL","metadata":{"description":"","short_description":"This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks."}},{"_key":"capec_00629","_id":"capec/capec_00629","_rev":"_dVyyXDa--u","original_id":"49","datatype":"capec","name":"Password Brute Forcing","metadata":{"description":"","short_description":"In this attack, the adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password. A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates."}},{"_key":"capec_00630","_id":"capec/capec_00630","_rev":"_dVyyXDa--v","original_id":"50","datatype":"capec","name":"Password Recovery Exploitation","metadata":{"description":"","short_description":"An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on \"forgot password\" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme."}},{"_key":"capec_00631","_id":"capec/capec_00631","_rev":"_dVyyXDa--w","original_id":"51","datatype":"capec","name":"Poison Web Service Registry","metadata":{"description":"","short_description":"SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces. WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol."}},{"_key":"capec_00632","_id":"capec/capec_00632","_rev":"_dVyyXDa--x","original_id":"52","datatype":"capec","name":"Embedding NULL Bytes","metadata":{"description":"","short_description":"An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s)."}},{"_key":"capec_00633","_id":"capec/capec_00633","_rev":"_dVyyXDa--y","original_id":"53","datatype":"capec","name":"Postfix, Null Terminate, and Backslash","metadata":{"description":"","short_description":"If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an attacker to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used."}},{"_key":"capec_00634","_id":"capec/capec_00634","_rev":"_dVyyXDa--z","original_id":"54","datatype":"capec","name":"Query System for Information","metadata":{"description":"","short_description":"An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide."}},{"_key":"capec_00635","_id":"capec/capec_00635","_rev":"_dVyyXDa--0","original_id":"55","datatype":"capec","name":"Rainbow Table Password Cracking","metadata":{"description":"","short_description":"An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system. A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt."}},{"_key":"capec_00636","_id":"capec/capec_00636","_rev":"_dVyyXDa--1","original_id":"57","datatype":"capec","name":"Utilizing REST's Trust in the System Resource to Obtain Sensitive Data","metadata":{"description":"","short_description":"This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme."}},{"_key":"capec_00637","_id":"capec/capec_00637","_rev":"_dVyyXDa--2","original_id":"58","datatype":"capec","name":"Restful Privilege Elevation","metadata":{"description":"","short_description":"Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server."}},{"_key":"capec_00638","_id":"capec/capec_00638","_rev":"_dVyyXDe---","original_id":"59","datatype":"capec","name":"Session Credential Falsification through Prediction","metadata":{"description":"","short_description":"This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking."}},{"_key":"capec_00639","_id":"capec/capec_00639","_rev":"_dVyyXDe--_","original_id":"60","datatype":"capec","name":"Reusing Session IDs (aka Session Replay)","metadata":{"description":"","short_description":"This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay."}},{"_key":"capec_00640","_id":"capec/capec_00640","_rev":"_dVyyXDe--A","original_id":"61","datatype":"capec","name":"Session Fixation","metadata":{"description":"","short_description":"The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation."}},{"_key":"capec_00641","_id":"capec/capec_00641","_rev":"_dVyyXDe--B","original_id":"62","datatype":"capec","name":"Cross Site Request Forgery","metadata":{"description":"","short_description":"An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie."}},{"_key":"capec_00642","_id":"capec/capec_00642","_rev":"_dVyyXDe--C","original_id":"63","datatype":"capec","name":"Cross-Site Scripting (XSS)","metadata":{"description":"","short_description":"An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect."}},{"_key":"capec_00643","_id":"capec/capec_00643","_rev":"_dVyyXDe--D","original_id":"64","datatype":"capec","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":{"description":"","short_description":"This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc."}},{"_key":"capec_00644","_id":"capec/capec_00644","_rev":"_dVyyXDe--E","original_id":"65","datatype":"capec","name":"Sniff Application Code","metadata":{"description":"","short_description":"An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server."}},{"_key":"capec_00645","_id":"capec/capec_00645","_rev":"_dVyyXDe--F","original_id":"66","datatype":"capec","name":"SQL Injection","metadata":{"description":"","short_description":"This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to interact directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database."}},{"_key":"capec_00646","_id":"capec/capec_00646","_rev":"_dVyyXDe--G","original_id":"67","datatype":"capec","name":"String Format Overflow in syslog()","metadata":{"description":"","short_description":"This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function."}},{"_key":"capec_00647","_id":"capec/capec_00647","_rev":"_dVyyXDe--H","original_id":"68","datatype":"capec","name":"Subvert Code-signing Facilities","metadata":{"description":"","short_description":"Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack."}},{"_key":"capec_00648","_id":"capec/capec_00648","_rev":"_dVyyXDe--I","original_id":"69","datatype":"capec","name":"Target Programs with Elevated Privileges","metadata":{"description":"","short_description":"This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges."}},{"_key":"capec_00649","_id":"capec/capec_00649","_rev":"_dVyyXDe--J","original_id":"70","datatype":"capec","name":"Try Common or Default Usernames and Passwords","metadata":{"description":"","short_description":"An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. \"secret\" or \"password\") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary."}},{"_key":"capec_00650","_id":"capec/capec_00650","_rev":"_dVyyXDe--K","original_id":"71","datatype":"capec","name":"Using Unicode Encoding to Bypass Validation Logic","metadata":{"description":"","short_description":"An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly."}},{"_key":"capec_00651","_id":"capec/capec_00651","_rev":"_dVyyXDe--L","original_id":"72","datatype":"capec","name":"URL Encoding","metadata":{"description":"","short_description":"This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section)."}},{"_key":"capec_00652","_id":"capec/capec_00652","_rev":"_dVyyXDe--M","original_id":"73","datatype":"capec","name":"User-Controlled Filename","metadata":{"description":"","short_description":"An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities."}},{"_key":"capec_00653","_id":"capec/capec_00653","_rev":"_dVyyXDe--N","original_id":"74","datatype":"capec","name":"Manipulating State","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_00654","_id":"capec/capec_00654","_rev":"_dVyyXDe--O","original_id":"75","datatype":"capec","name":"Manipulating Writeable Configuration Files","metadata":{"description":"","short_description":"Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users."}},{"_key":"capec_00655","_id":"capec/capec_00655","_rev":"_dVyyXDe--P","original_id":"76","datatype":"capec","name":"Manipulating Web Input to File System Calls","metadata":{"description":"","short_description":"An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible."}},{"_key":"capec_00656","_id":"capec/capec_00656","_rev":"_dVyyXDe--Q","original_id":"77","datatype":"capec","name":"Manipulating User-Controlled Variables","metadata":{"description":"","short_description":"This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables."}},{"_key":"capec_00657","_id":"capec/capec_00657","_rev":"_dVyyXDe--R","original_id":"78","datatype":"capec","name":"Using Escaped Slashes in Alternate Encoding","metadata":{"description":"","short_description":"This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack."}},{"_key":"capec_00658","_id":"capec/capec_00658","_rev":"_dVyyXDe--S","original_id":"79","datatype":"capec","name":"Using Slashes in Alternate Encoding","metadata":{"description":"","short_description":"This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other."}},{"_key":"capec_00659","_id":"capec/capec_00659","_rev":"_dVyyXDe--T","original_id":"80","datatype":"capec","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":{"description":"","short_description":"This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the \"shortest possible\" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters."}},{"_key":"capec_00660","_id":"capec/capec_00660","_rev":"_dVyyXDe--U","original_id":"81","datatype":"capec","name":"Web Logs Tampering","metadata":{"description":"","short_description":"Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to \"Log Injection-Tampering-Forging\" except that in this case, the attack is targeting the logs of the web server and not the application."}},{"_key":"capec_00661","_id":"capec/capec_00661","_rev":"_dVyyXDe--V","original_id":"83","datatype":"capec","name":"XPath Injection","metadata":{"description":"","short_description":"An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database."}},{"_key":"capec_00662","_id":"capec/capec_00662","_rev":"_dVyyXDe--W","original_id":"84","datatype":"capec","name":"XQuery Injection","metadata":{"description":"","short_description":"This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources."}},{"_key":"capec_00663","_id":"capec/capec_00663","_rev":"_dVyyXDe--X","original_id":"85","datatype":"capec","name":"AJAX Footprinting","metadata":{"description":"","short_description":"This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS."}},{"_key":"capec_00664","_id":"capec/capec_00664","_rev":"_dVyyXDe--Y","original_id":"86","datatype":"capec","name":"XSS Through HTTP Headers","metadata":{"description":"","short_description":"An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications."}},{"_key":"capec_00665","_id":"capec/capec_00665","_rev":"_dVyyXDe--Z","original_id":"87","datatype":"capec","name":"Forceful Browsing","metadata":{"description":"","short_description":"An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected."}},{"_key":"capec_00666","_id":"capec/capec_00666","_rev":"_dVyyXDe--a","original_id":"88","datatype":"capec","name":"OS Command Injection","metadata":{"description":"","short_description":"In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system."}},{"_key":"capec_00667","_id":"capec/capec_00667","_rev":"_dVyyXDe--b","original_id":"89","datatype":"capec","name":"Pharming","metadata":{"description":"","short_description":"A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed."}},{"_key":"capec_00668","_id":"capec/capec_00668","_rev":"_dVyyXDe--c","original_id":"90","datatype":"capec","name":"Reflection Attack in Authentication Protocol","metadata":{"description":"","short_description":"An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication."}},{"_key":"capec_00669","_id":"capec/capec_00669","_rev":"_dVyyXDe--d","original_id":"92","datatype":"capec","name":"Forced Integer Overflow","metadata":{"description":"","short_description":"This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code."}},{"_key":"capec_00670","_id":"capec/capec_00670","_rev":"_dVyyXDe--e","original_id":"93","datatype":"capec","name":"Log Injection-Tampering-Forging","metadata":{"description":"","short_description":"This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability."}},{"_key":"capec_00671","_id":"capec/capec_00671","_rev":"_dVyyXDe--f","original_id":"94","datatype":"capec","name":"Adversary in the Middle (AiTM)","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_00672","_id":"capec/capec_00672","_rev":"_dVyyXDe--g","original_id":"95","datatype":"capec","name":"WSDL Scanning","metadata":{"description":"","short_description":"This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files."}},{"_key":"capec_00673","_id":"capec/capec_00673","_rev":"_dVyyXDe--h","original_id":"96","datatype":"capec","name":"Block Access to Libraries","metadata":{"description":"","short_description":"An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker."}},{"_key":"capec_00674","_id":"capec/capec_00674","_rev":"_dVyyXDe--i","original_id":"97","datatype":"capec","name":"Cryptanalysis","metadata":{"description":"","short_description":"Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits)."}},{"_key":"capec_00675","_id":"capec/capec_00675","_rev":"_dVyyXDe--j","original_id":"98","datatype":"capec","name":"Phishing","metadata":{"description":"","short_description":"Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or \"fishing\" for information."}},{"_key":"capec_00676","_id":"capec/capec_00676","_rev":"_dVyyXDe--k","original_id":"100","datatype":"capec","name":"Overflow Buffers","metadata":{"description":"","short_description":"Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice."}},{"_key":"capec_00677","_id":"capec/capec_00677","_rev":"_dVyyXDe--l","original_id":"101","datatype":"capec","name":"Server Side Include (SSI) Injection","metadata":{"description":"","short_description":"An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands."}},{"_key":"capec_00678","_id":"capec/capec_00678","_rev":"_dVyyXDe--m","original_id":"102","datatype":"capec","name":"Session Sidejacking","metadata":{"description":"","short_description":"Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token."}},{"_key":"capec_00679","_id":"capec/capec_00679","_rev":"_dVyyXDe--n","original_id":"103","datatype":"capec","name":"Clickjacking","metadata":{"description":"","short_description":"In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different system. While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on."}},{"_key":"capec_00680","_id":"capec/capec_00680","_rev":"_dVyyXDe--o","original_id":"104","datatype":"capec","name":"Cross Zone Scripting","metadata":{"description":"","short_description":"An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from \"Restful Privilege Escalation\" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser."}},{"_key":"capec_00681","_id":"capec/capec_00681","_rev":"_dVyyXDe--p","original_id":"105","datatype":"capec","name":"HTTP Request Splitting","metadata":{"description":"\n            ","short_description":"\n            "}},{"_key":"capec_00682","_id":"capec/capec_00682","_rev":"_dVyyXDe--q","original_id":"107","datatype":"capec","name":"Cross Site Tracing","metadata":{"description":"","short_description":"Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server. The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the \"document.cookie\" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server."}},{"_key":"capec_00683","_id":"capec/capec_00683","_rev":"_dVyyXDe--r","original_id":"108","datatype":"capec","name":"Command Line Execution through SQL Injection","metadata":{"description":"","short_description":"An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host."}},{"_key":"capec_00684","_id":"capec/capec_00684","_rev":"_dVyyXDe--s","original_id":"109","datatype":"capec","name":"Object Relational Mapping Injection","metadata":{"description":"","short_description":"An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible."}},{"_key":"capec_00685","_id":"capec/capec_00685","_rev":"_dVyyXDe--t","original_id":"110","datatype":"capec","name":"SQL Injection through SOAP Parameter Tampering","metadata":{"description":"","short_description":"An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message."}},{"_key":"capec_00686","_id":"capec/capec_00686","_rev":"_dVyyXDe--u","original_id":"111","datatype":"capec","name":"JSON Hijacking (aka JavaScript Hijacking)","metadata":{"description":"","short_description":"An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON."}},{"_key":"capec_00687","_id":"capec/capec_00687","_rev":"_dVyyXDe--v","original_id":"112","datatype":"capec","name":"Brute Force","metadata":{"description":"","short_description":"In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information."}},{"_key":"capec_00688","_id":"capec/capec_00688","_rev":"_dVyyXDe--w","original_id":"113","datatype":"capec","name":"Interface Manipulation","metadata":{"description":"","short_description":"An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way."}},{"_key":"capec_00689","_id":"capec/capec_00689","_rev":"_dVyyXDe--x","original_id":"114","datatype":"capec","name":"Authentication Abuse","metadata":{"description":"","short_description":"An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the \"Exploitation of Session Variables, Resource IDs and other Trusted Credentials\" attack patterns."}},{"_key":"capec_00690","_id":"capec/capec_00690","_rev":"_dVyyXDe--y","original_id":"115","datatype":"capec","name":"Authentication Bypass","metadata":{"description":"","short_description":"An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users."}},{"_key":"capec_00691","_id":"capec/capec_00691","_rev":"_dVyyXDe--z","original_id":"116","datatype":"capec","name":"Excavation","metadata":{"description":"","short_description":"An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data. As a result of these interactions, the adversary is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Examplar exchanges with the target may trigger unhandled exceptions or verbose error messages that reveal information like stack traces, configuration information, path information, or database design. This type of attack also includes the manipulation of query strings in a URI to produce invalid SQL queries, or by trying alternative path values in the hope that the server will return useful information."}},{"_key":"capec_00692","_id":"capec/capec_00692","_rev":"_dVyyXDe--0","original_id":"117","datatype":"capec","name":"Interception","metadata":{"description":"","short_description":"An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient."}},{"_key":"capec_00693","_id":"capec/capec_00693","_rev":"_dVyyXDe--1","original_id":"120","datatype":"capec","name":"Double Encoding","metadata":{"description":"","short_description":"The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target."}},{"_key":"capec_00694","_id":"capec/capec_00694","_rev":"_dVyyXDe--2","original_id":"121","datatype":"capec","name":"Exploit Non-Production Interfaces","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_00695","_id":"capec/capec_00695","_rev":"_dVyyXDe--3","original_id":"122","datatype":"capec","name":"Privilege Abuse","metadata":{"description":"","short_description":"An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level."}},{"_key":"capec_00696","_id":"capec/capec_00696","_rev":"_dVyyXDe--4","original_id":"123","datatype":"capec","name":"Buffer Manipulation","metadata":{"description":"","short_description":"An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory."}},{"_key":"capec_00697","_id":"capec/capec_00697","_rev":"_dVyyXDe--5","original_id":"124","datatype":"capec","name":"Shared Resource Manipulation","metadata":{"description":"","short_description":"An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications."}},{"_key":"capec_00698","_id":"capec/capec_00698","_rev":"_dVyyXDe--6","original_id":"125","datatype":"capec","name":"Flooding","metadata":{"description":"","short_description":"An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target."}},{"_key":"capec_00699","_id":"capec/capec_00699","_rev":"_dVyyXDe--7","original_id":"126","datatype":"capec","name":"Path Traversal","metadata":{"description":"","short_description":"An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files."}},{"_key":"capec_00700","_id":"capec/capec_00700","_rev":"_dVyyXDe--8","original_id":"127","datatype":"capec","name":"Directory Indexing","metadata":{"description":"","short_description":"An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks."}},{"_key":"capec_00701","_id":"capec/capec_00701","_rev":"_dVyyXDe--9","original_id":"128","datatype":"capec","name":"Integer Attacks","metadata":{"description":"","short_description":"An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats."}},{"_key":"capec_00702","_id":"capec/capec_00702","_rev":"_dVyyXDe-_-","original_id":"129","datatype":"capec","name":"Pointer Manipulation","metadata":{"description":"","short_description":"This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks."}},{"_key":"capec_00703","_id":"capec/capec_00703","_rev":"_dVyyXDe-__","original_id":"130","datatype":"capec","name":"Excessive Allocation","metadata":{"description":"","short_description":"An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request."}},{"_key":"capec_00704","_id":"capec/capec_00704","_rev":"_dVyyXDe-_A","original_id":"131","datatype":"capec","name":"Resource Leak Exposure","metadata":{"description":"","short_description":"An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests. Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed. In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack. Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target."}},{"_key":"capec_00705","_id":"capec/capec_00705","_rev":"_dVyyXDe-_B","original_id":"132","datatype":"capec","name":"Symlink Attack","metadata":{"description":"","short_description":"An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have."}},{"_key":"capec_00706","_id":"capec/capec_00706","_rev":"_dVyyXDe-_C","original_id":"133","datatype":"capec","name":"Try All Common Switches","metadata":{"description":"","short_description":"An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality."}},{"_key":"capec_00707","_id":"capec/capec_00707","_rev":"_dVyyXDe-_D","original_id":"134","datatype":"capec","name":"Email Injection","metadata":{"description":"","short_description":"An attacker manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol. Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to \"share this site with a friend\" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an attacker adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an attacker can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character."}},{"_key":"capec_00708","_id":"capec/capec_00708","_rev":"_dVyyXDe-_E","original_id":"135","datatype":"capec","name":"Format String Injection","metadata":{"description":"","short_description":"An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack."}},{"_key":"capec_00709","_id":"capec/capec_00709","_rev":"_dVyyXDe-_F","original_id":"136","datatype":"capec","name":"LDAP Injection","metadata":{"description":"","short_description":"An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value."}},{"_key":"capec_00710","_id":"capec/capec_00710","_rev":"_dVyyXDe-_G","original_id":"137","datatype":"capec","name":"Parameter Injection","metadata":{"description":"","short_description":"An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value \"myInput&new_param=myValue\", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example."}},{"_key":"capec_00711","_id":"capec/capec_00711","_rev":"_dVyyXDe-_H","original_id":"138","datatype":"capec","name":"Reflection Injection","metadata":{"description":"","short_description":"An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application."}},{"_key":"capec_00712","_id":"capec/capec_00712","_rev":"_dVyyXDe-_I","original_id":"139","datatype":"capec","name":"Relative Path Traversal","metadata":{"description":"","short_description":"An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \\) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure."}},{"_key":"capec_00713","_id":"capec/capec_00713","_rev":"_dVyyXDe-_J","original_id":"140","datatype":"capec","name":"Bypassing of Intermediate Forms in Multiple-Form Sets","metadata":{"description":"","short_description":"Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application."}},{"_key":"capec_00714","_id":"capec/capec_00714","_rev":"_dVyyXDe-_K","original_id":"141","datatype":"capec","name":"Cache Poisoning","metadata":{"description":"","short_description":"An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value."}},{"_key":"capec_00715","_id":"capec/capec_00715","_rev":"_dVyyXDe-_L","original_id":"142","datatype":"capec","name":"DNS Cache Poisoning","metadata":{"description":"","short_description":"A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack."}},{"_key":"capec_00716","_id":"capec/capec_00716","_rev":"_dVyyXDi---","original_id":"143","datatype":"capec","name":"Detect Unpublicized Web Pages","metadata":{"description":"","short_description":"An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public."}},{"_key":"capec_00717","_id":"capec/capec_00717","_rev":"_dVyyXDi--_","original_id":"144","datatype":"capec","name":"Detect Unpublicized Web Services","metadata":{"description":"","short_description":"An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable."}},{"_key":"capec_00718","_id":"capec/capec_00718","_rev":"_dVyyXDi--A","original_id":"145","datatype":"capec","name":"Checksum Spoofing","metadata":{"description":"","short_description":"An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred."}},{"_key":"capec_00719","_id":"capec/capec_00719","_rev":"_dVyyXDi--B","original_id":"146","datatype":"capec","name":"XML Schema Poisoning","metadata":{"description":"","short_description":"An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema."}},{"_key":"capec_00720","_id":"capec/capec_00720","_rev":"_dVyyXDi--C","original_id":"147","datatype":"capec","name":"XML Ping of the Death","metadata":{"description":"","short_description":"An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target."}},{"_key":"capec_00721","_id":"capec/capec_00721","_rev":"_dVyyXDi--D","original_id":"148","datatype":"capec","name":"Content Spoofing","metadata":{"description":"","short_description":"An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes."}},{"_key":"capec_00722","_id":"capec/capec_00722","_rev":"_dVyyXDi--E","original_id":"149","datatype":"capec","name":"Explore for Predictable Temporary File Names","metadata":{"description":"","short_description":"An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks."}},{"_key":"capec_00723","_id":"capec/capec_00723","_rev":"_dVyyXDi--F","original_id":"150","datatype":"capec","name":"Collect Data from Common Resource Locations","metadata":{"description":"","short_description":"An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks."}},{"_key":"capec_00724","_id":"capec/capec_00724","_rev":"_dVyyXDi--G","original_id":"151","datatype":"capec","name":"Identity Spoofing","metadata":{"description":"","short_description":"Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content."}},{"_key":"capec_00725","_id":"capec/capec_00725","_rev":"_dVyyXDi--H","original_id":"153","datatype":"capec","name":"Input Data Manipulation","metadata":{"description":"","short_description":"An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target. For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed."}},{"_key":"capec_00726","_id":"capec/capec_00726","_rev":"_dVyyXDi--I","original_id":"154","datatype":"capec","name":"Resource Location Spoofing","metadata":{"description":"","short_description":"An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals."}},{"_key":"capec_00727","_id":"capec/capec_00727","_rev":"_dVyyXDi--J","original_id":"155","datatype":"capec","name":"Screen Temporary Files for Sensitive Information","metadata":{"description":"","short_description":"An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache."}},{"_key":"capec_00728","_id":"capec/capec_00728","_rev":"_dVyyXDi--K","original_id":"157","datatype":"capec","name":"Sniffing Attacks","metadata":{"description":"","short_description":"In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves."}},{"_key":"capec_00729","_id":"capec/capec_00729","_rev":"_dVyyXDi--L","original_id":"158","datatype":"capec","name":"Sniffing Network Traffic","metadata":{"description":"","short_description":"In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information."}},{"_key":"capec_00730","_id":"capec/capec_00730","_rev":"_dVyyXDi--M","original_id":"159","datatype":"capec","name":"Redirect Access to Libraries","metadata":{"description":"","short_description":"An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation."}},{"_key":"capec_00731","_id":"capec/capec_00731","_rev":"_dVyyXDi--N","original_id":"160","datatype":"capec","name":"Exploit Script-Based APIs","metadata":{"description":"","short_description":"Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script> tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them."}},{"_key":"capec_00732","_id":"capec/capec_00732","_rev":"_dVyyXDi--O","original_id":"161","datatype":"capec","name":"Infrastructure Manipulation","metadata":{"description":"","short_description":"An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account."}},{"_key":"capec_00733","_id":"capec/capec_00733","_rev":"_dVyyXDi--P","original_id":"162","datatype":"capec","name":"Manipulating Hidden Fields","metadata":{"description":"","short_description":"An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. For example, eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the adversary to acquire items at a lower cost than the merchant intended. The adversary performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items."}},{"_key":"capec_00734","_id":"capec/capec_00734","_rev":"_dVyyXDi--Q","original_id":"163","datatype":"capec","name":"Spear Phishing","metadata":{"description":"","short_description":"An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack."}},{"_key":"capec_00735","_id":"capec/capec_00735","_rev":"_dVyyXDi--R","original_id":"164","datatype":"capec","name":"Mobile Phishing","metadata":{"description":"","short_description":"An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack."}},{"_key":"capec_00736","_id":"capec/capec_00736","_rev":"_dVyyXDi--S","original_id":"165","datatype":"capec","name":"File Manipulation","metadata":{"description":"","short_description":"An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined."}},{"_key":"capec_00737","_id":"capec/capec_00737","_rev":"_dVyyXDi--T","original_id":"166","datatype":"capec","name":"Force the System to Reset Values","metadata":{"description":"","short_description":"An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices."}},{"_key":"capec_00738","_id":"capec/capec_00738","_rev":"_dVyyXDi--U","original_id":"167","datatype":"capec","name":"White Box Reverse Engineering","metadata":{"description":"","short_description":"An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution."}},{"_key":"capec_00739","_id":"capec/capec_00739","_rev":"_dVyyXDi--V","original_id":"168","datatype":"capec","name":"Windows ::DATA Alternate Data Stream","metadata":{"description":"","short_description":"An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple \"files\" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams."}},{"_key":"capec_00740","_id":"capec/capec_00740","_rev":"_dVyyXDi--W","original_id":"169","datatype":"capec","name":"Footprinting","metadata":{"description":"","short_description":"An adversary engages in probing and exploration activities to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. Although similar to fingerprinting, footprinting aims to get a more holistic view of a system or network, whereas fingerprinting is more targeted to a specific application or operating system. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks."}},{"_key":"capec_00741","_id":"capec/capec_00741","_rev":"_dVyyXDi--X","original_id":"170","datatype":"capec","name":"Web Application Fingerprinting","metadata":{"description":"","short_description":"An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks."}},{"_key":"capec_00742","_id":"capec/capec_00742","_rev":"_dVyyXDi--Y","original_id":"173","datatype":"capec","name":"Action Spoofing","metadata":{"description":"","short_description":"An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface."}},{"_key":"capec_00743","_id":"capec/capec_00743","_rev":"_dVyyXDi--Z","original_id":"174","datatype":"capec","name":"Flash Parameter Injection","metadata":{"description":"","short_description":"An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document. These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document. The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks."}},{"_key":"capec_00744","_id":"capec/capec_00744","_rev":"_dVyyXDi--a","original_id":"175","datatype":"capec","name":"Code Inclusion","metadata":{"description":"","short_description":"An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application."}},{"_key":"capec_00745","_id":"capec/capec_00745","_rev":"_dVyyXDi--b","original_id":"176","datatype":"capec","name":"Configuration/Environment Manipulation","metadata":{"description":"","short_description":"An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack."}},{"_key":"capec_00746","_id":"capec/capec_00746","_rev":"_dVyyXDi--c","original_id":"177","datatype":"capec","name":"Create files with the same name as files protected with a higher classification","metadata":{"description":"","short_description":"An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name."}},{"_key":"capec_00747","_id":"capec/capec_00747","_rev":"_dVyyXDi--d","original_id":"178","datatype":"capec","name":"Cross-Site Flashing","metadata":{"description":"","short_description":"An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application."}},{"_key":"capec_00748","_id":"capec/capec_00748","_rev":"_dVyyXDi--e","original_id":"179","datatype":"capec","name":"Calling Micro-Services Directly","metadata":{"description":"","short_description":"An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere. However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns."}},{"_key":"capec_00749","_id":"capec/capec_00749","_rev":"_dVyyXDi--f","original_id":"180","datatype":"capec","name":"Exploiting Incorrectly Configured Access Control Security Levels","metadata":{"description":"","short_description":"An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, \"Accessing Functionality Not Properly Constrained by ACLs\" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured."}},{"_key":"capec_00750","_id":"capec/capec_00750","_rev":"_dVyyXDi--g","original_id":"181","datatype":"capec","name":"Flash File Overlay","metadata":{"description":"","short_description":"An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes."}},{"_key":"capec_00751","_id":"capec/capec_00751","_rev":"_dVyyXDi--h","original_id":"182","datatype":"capec","name":"Flash Injection","metadata":{"description":"","short_description":"An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker."}},{"_key":"capec_00752","_id":"capec/capec_00752","_rev":"_dVyyXDi--i","original_id":"183","datatype":"capec","name":"IMAP/SMTP Command Injection","metadata":{"description":"","short_description":"An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands."}},{"_key":"capec_00753","_id":"capec/capec_00753","_rev":"_dVyyXDi--j","original_id":"184","datatype":"capec","name":"Software Integrity Attack","metadata":{"description":"","short_description":"An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state."}},{"_key":"capec_00754","_id":"capec/capec_00754","_rev":"_dVyyXDi--k","original_id":"185","datatype":"capec","name":"Malicious Software Download","metadata":{"description":"","short_description":"An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack."}},{"_key":"capec_00755","_id":"capec/capec_00755","_rev":"_dVyyXDi--l","original_id":"186","datatype":"capec","name":"Malicious Software Update","metadata":{"description":"","short_description":"An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source. Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an adversary to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity. As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source. Virtually all software requires frequent updates or patches, giving the adversary immense latitude when structuring the attack, as well as many targets of opportunity. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters."}},{"_key":"capec_00756","_id":"capec/capec_00756","_rev":"_dVyyXDi--m","original_id":"187","datatype":"capec","name":"Malicious Automated Software Update via Redirection","metadata":{"description":"","short_description":"An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update. One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains. The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality."}},{"_key":"capec_00757","_id":"capec/capec_00757","_rev":"_dVyyXDi--n","original_id":"188","datatype":"capec","name":"Reverse Engineering","metadata":{"description":"","short_description":"An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or \"back engineer\" some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices, or software, although the methodology and techniques involved in each type of analysis differ widely."}},{"_key":"capec_00758","_id":"capec/capec_00758","_rev":"_dVyyXDi--o","original_id":"189","datatype":"capec","name":"Black Box Reverse Engineering","metadata":{"description":"","short_description":"An attacker discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs."}},{"_key":"capec_00759","_id":"capec/capec_00759","_rev":"_dVyyXDi--p","original_id":"190","datatype":"capec","name":"Reverse Engineer an Executable to Expose Assumed Hidden Functionality","metadata":{"description":"","short_description":"An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable. Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, inter-process communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications."}},{"_key":"capec_00760","_id":"capec/capec_00760","_rev":"_dVyyXDi--q","original_id":"191","datatype":"capec","name":"Read Sensitive Constants Within an Executable","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_00761","_id":"capec/capec_00761","_rev":"_dVyyXDi--r","original_id":"192","datatype":"capec","name":"Protocol Analysis","metadata":{"description":"","short_description":"An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network. Although certain techniques for protocol analysis benefit from manipulating live 'on-the-wire' interactions between communicating components, static or dynamic analysis techniques applied to executables as well as to device drivers, such as network interface drivers, can also be used to reveal the function and characteristics of a communication protocol implementation. Depending upon the methods used the process may involve observing, interacting, and modifying actual communications occurring between hosts. The goal of protocol analysis is to derive the data transmission syntax, as well as to extract the meaningful content, including packet or content delimiters used by the protocol. This type of analysis is often performed on closed-specification protocols, or proprietary protocols, but is also useful for analyzing publicly available specifications to determine how particular implementations deviate from published specifications."}},{"_key":"capec_00762","_id":"capec/capec_00762","_rev":"_dVyyXDi--s","original_id":"193","datatype":"capec","name":"PHP Remote File Inclusion","metadata":{"description":"","short_description":"In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized \"include\" or \"require\" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions."}},{"_key":"capec_00763","_id":"capec/capec_00763","_rev":"_dVyyXDi--t","original_id":"194","datatype":"capec","name":"Fake the Source of Data","metadata":{"description":"","short_description":"An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified \"From\" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation."}},{"_key":"capec_00764","_id":"capec/capec_00764","_rev":"_dVyyXDi--u","original_id":"195","datatype":"capec","name":"Principal Spoof","metadata":{"description":"","short_description":"A Principal Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principal Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity. The possible outcomes of a Principal Spoof mirror those of Identity Spoofing. (e.g., escalation of privilege and false attribution of data or activities) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoof attack. However, because a Principal Spoof is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name)."}},{"_key":"capec_00765","_id":"capec/capec_00765","_rev":"_dVyyXDi--v","original_id":"196","datatype":"capec","name":"Session Credential Falsification through Forging","metadata":{"description":"","short_description":"An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials."}},{"_key":"capec_00766","_id":"capec/capec_00766","_rev":"_dVyyXDi--w","original_id":"197","datatype":"capec","name":"Exponential Data Expansion","metadata":{"description":"","short_description":"An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory."}},{"_key":"capec_00767","_id":"capec/capec_00767","_rev":"_dVyyXDi--x","original_id":"198","datatype":"capec","name":"XSS Targeting Error Pages","metadata":{"description":"","short_description":"An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception."}},{"_key":"capec_00768","_id":"capec/capec_00768","_rev":"_dVyyXDi--y","original_id":"199","datatype":"capec","name":"XSS Using Alternate Syntax","metadata":{"description":"","short_description":"An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the \"script\" tag using the alternate forms of \"Script\" or \"ScRiPt\" may bypass filters where \"script\" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality."}},{"_key":"capec_00769","_id":"capec/capec_00769","_rev":"_dVyyXDi--z","original_id":"200","datatype":"capec","name":"Removal of filters: Input filters, output filters, data masking","metadata":{"description":"","short_description":"An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content. For example, if an application accepts scripting languages as input, an input filter could constrain the commands received and block those that the application's administrator deems to be overly powerful. An output filter screens responses from an application or person in order to prevent disclosure of sensitive information. For example, an application's output filter might block output that is sourced to sensitive folders or which contains certain keywords. A data mask is similar to an output filter, but usually applies to structured data, such as found in databases. Data masks elide or replace portions of the information returned from a query in order to protect against the disclosure of sensitive information. If an input filter is removed the attacker will be able to send content to the target and have the target utilize it without it being sanitized. If the content sent by the attacker is executable, the attacker may be able to execute arbitrary commands on the target. If an output filter or data masking mechanism is disabled, the target may send out sensitive information that would otherwise be elided by the filters. If the data mask is disabled, sensitive information stored in a database would be returned unaltered. This could result in the disclosure of sensitive information, such as social security numbers of payment records. This attack is usually executed as part of a larger attack series. The attacker would disable filters and would then mount additional attacks to either insert commands or data or query the target application in ways that would otherwise be prevented by the filters."}},{"_key":"capec_00770","_id":"capec/capec_00770","_rev":"_dVyyXDi--0","original_id":"201","datatype":"capec","name":"Serialized Data External Linking","metadata":{"description":"","short_description":"An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain."}},{"_key":"capec_00771","_id":"capec/capec_00771","_rev":"_dVyyXDi--1","original_id":"202","datatype":"capec","name":"Create Malicious Client","metadata":{"description":"","short_description":"An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures. For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality. For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit."}},{"_key":"capec_00772","_id":"capec/capec_00772","_rev":"_dVyyXDi--2","original_id":"203","datatype":"capec","name":"Manipulate Registry Information","metadata":{"description":"","short_description":"An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end."}},{"_key":"capec_00773","_id":"capec/capec_00773","_rev":"_dVyyXDi--3","original_id":"204","datatype":"capec","name":"Lifting Sensitive Data Embedded in Cache","metadata":{"description":"","short_description":"An attacker examines a target application's cache for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information."}},{"_key":"capec_00774","_id":"capec/capec_00774","_rev":"_dVyyXDi--4","original_id":"206","datatype":"capec","name":"Signing Malicious Code","metadata":{"description":"","short_description":"The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing."}},{"_key":"capec_00775","_id":"capec/capec_00775","_rev":"_dVyyXDi--5","original_id":"207","datatype":"capec","name":"Removing Important Client Functionality","metadata":{"description":"","short_description":"An attacker removes or disables functionality on the client that the server assumes to be present and trustworthy. Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an attacker can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources."}},{"_key":"capec_00776","_id":"capec/capec_00776","_rev":"_dVyyXDi--6","original_id":"208","datatype":"capec","name":"Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements","metadata":{"description":"","short_description":"An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities."}},{"_key":"capec_00777","_id":"capec/capec_00777","_rev":"_dVyyXDi--7","original_id":"209","datatype":"capec","name":"XSS Using MIME Type Mismatch","metadata":{"description":"","short_description":"An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser."}},{"_key":"capec_00778","_id":"capec/capec_00778","_rev":"_dVyyXDi--8","original_id":"212","datatype":"capec","name":"Functionality Misuse","metadata":{"description":"","short_description":"An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data."}},{"_key":"capec_00779","_id":"capec/capec_00779","_rev":"_dVyyXDi--9","original_id":"215","datatype":"capec","name":"Fuzzing for application mapping","metadata":{"description":"","short_description":"An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. In applications that return a stack trace along with the error, this can enumerate the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information."}},{"_key":"capec_00780","_id":"capec/capec_00780","_rev":"_dVyyXDi-_-","original_id":"216","datatype":"capec","name":"Communication Channel Manipulation","metadata":{"description":"","short_description":"An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise."}},{"_key":"capec_00781","_id":"capec/capec_00781","_rev":"_dVyyXDi-__","original_id":"217","datatype":"capec","name":"Exploiting Incorrectly Configured SSL","metadata":{"description":"","short_description":"An adversary takes advantage of incorrectly configured SSL communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server."}},{"_key":"capec_00782","_id":"capec/capec_00782","_rev":"_dVyyXDi-_A","original_id":"218","datatype":"capec","name":"Spoofing of UDDI/ebXML Messages","metadata":{"description":"","short_description":"An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud."}},{"_key":"capec_00783","_id":"capec/capec_00783","_rev":"_dVyyXDm---","original_id":"219","datatype":"capec","name":"XML Routing Detour Attacks","metadata":{"description":"","short_description":"An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information."}},{"_key":"capec_00784","_id":"capec/capec_00784","_rev":"_dVyyXDm--_","original_id":"220","datatype":"capec","name":"Client-Server Protocol Manipulation","metadata":{"description":"","short_description":"An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions. For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions."}},{"_key":"capec_00785","_id":"capec/capec_00785","_rev":"_dVyyXDm--A","original_id":"221","datatype":"capec","name":"Data Serialization External Entities Blowup","metadata":{"description":"","short_description":"This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI."}},{"_key":"capec_00786","_id":"capec/capec_00786","_rev":"_dVyyXDm--B","original_id":"222","datatype":"capec","name":"iFrame Overlay","metadata":{"description":"","short_description":"In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on."}},{"_key":"capec_00787","_id":"capec/capec_00787","_rev":"_dVyyXDm--C","original_id":"224","datatype":"capec","name":"Fingerprinting","metadata":{"description":"","short_description":"An adversary compares output from a target system to known indicators that uniquely identify specific details about the target. Most commonly, fingerprinting is done to determine operating system and application versions. Fingerprinting can be done passively as well as actively. Fingerprinting by itself is not usually detrimental to the target. However, the information gathered through fingerprinting often enables an adversary to discover existing weaknesses in the target."}},{"_key":"capec_00788","_id":"capec/capec_00788","_rev":"_dVyyXDm--D","original_id":"226","datatype":"capec","name":"Session Credential Falsification through Manipulation","metadata":{"description":"","short_description":"An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server. For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service."}},{"_key":"capec_00789","_id":"capec/capec_00789","_rev":"_dVyyXDm--E","original_id":"227","datatype":"capec","name":"Sustained Client Engagement","metadata":{"description":"","short_description":"An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource. The degree to which the attack is successful depends upon the adversary's ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, as well as other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource leak exposures which tend to exploit the surrounding environment needed for the resource to function. The key factor in a sustainment attack are the repeated requests that take longer to process than usual."}},{"_key":"capec_00790","_id":"capec/capec_00790","_rev":"_dVyyXDm--F","original_id":"228","datatype":"capec","name":"DTD Injection","metadata":{"description":"","short_description":"An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion."}},{"_key":"capec_00791","_id":"capec/capec_00791","_rev":"_dVyyXDm--G","original_id":"229","datatype":"capec","name":"Serialized Data Parameter Blowup","metadata":{"description":"","short_description":"This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific."}},{"_key":"capec_00792","_id":"capec/capec_00792","_rev":"_dVyyXDm--H","original_id":"230","datatype":"capec","name":"Serialized Data with Nested Payloads","metadata":{"description":"\n            ","short_description":"Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization."}},{"_key":"capec_00793","_id":"capec/capec_00793","_rev":"_dVyyXDm--I","original_id":"231","datatype":"capec","name":"Oversized Serialized Data Payloads","metadata":{"description":"","short_description":"Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends."}},{"_key":"capec_00794","_id":"capec/capec_00794","_rev":"_dVyyXDm--J","original_id":"233","datatype":"capec","name":"Privilege Escalation","metadata":{"description":"","short_description":"An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform."}},{"_key":"capec_00795","_id":"capec/capec_00795","_rev":"_dVyyXDm--K","original_id":"234","datatype":"capec","name":"Hijacking a privileged process","metadata":{"description":"","short_description":"An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code."}},{"_key":"capec_00796","_id":"capec/capec_00796","_rev":"_dVyyXDm--L","original_id":"237","datatype":"capec","name":"Escaping a Sandbox by Calling Code in Another Language","metadata":{"description":"","short_description":"The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries."}},{"_key":"capec_00797","_id":"capec/capec_00797","_rev":"_dVyyXDm--M","original_id":"240","datatype":"capec","name":"Resource Injection","metadata":{"description":"","short_description":"An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource."}},{"_key":"capec_00798","_id":"capec/capec_00798","_rev":"_dVyyXDm--N","original_id":"242","datatype":"capec","name":"Code Injection","metadata":{"description":"","short_description":"An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application."}},{"_key":"capec_00799","_id":"capec/capec_00799","_rev":"_dVyyXDm--O","original_id":"243","datatype":"capec","name":"XSS Targeting HTML Attributes","metadata":{"description":"","short_description":"An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities."}},{"_key":"capec_00800","_id":"capec/capec_00800","_rev":"_dVyyXDm--P","original_id":"244","datatype":"capec","name":"XSS Targeting URI Placeholders","metadata":{"description":"","short_description":"An attack of this type exploits the ability of most browsers to interpret \"data\", \"javascript\" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link."}},{"_key":"capec_00801","_id":"capec/capec_00801","_rev":"_dVyyXDm--Q","original_id":"245","datatype":"capec","name":"XSS Using Doubled Characters","metadata":{"description":"","short_description":"The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack."}},{"_key":"capec_00802","_id":"capec/capec_00802","_rev":"_dVyyXDm--R","original_id":"247","datatype":"capec","name":"XSS Using Invalid Characters","metadata":{"description":"","short_description":"An adversary inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the attacker to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results."}},{"_key":"capec_00803","_id":"capec/capec_00803","_rev":"_dVyyXDm--S","original_id":"248","datatype":"capec","name":"Command Injection","metadata":{"description":"","short_description":"An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation."}},{"_key":"capec_00804","_id":"capec/capec_00804","_rev":"_dVyyXDm--T","original_id":"250","datatype":"capec","name":"XML Injection","metadata":{"description":"","short_description":"An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information."}},{"_key":"capec_00805","_id":"capec/capec_00805","_rev":"_dVyyXDm--U","original_id":"251","datatype":"capec","name":"Local Code Inclusion","metadata":{"description":"","short_description":"The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways."}},{"_key":"capec_00806","_id":"capec/capec_00806","_rev":"_dVyyXDm--V","original_id":"252","datatype":"capec","name":"PHP Local File Inclusion","metadata":{"description":"","short_description":"The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways."}},{"_key":"capec_00807","_id":"capec/capec_00807","_rev":"_dVyyXDm--W","original_id":"253","datatype":"capec","name":"Remote Code Inclusion","metadata":{"description":"","short_description":"The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways."}},{"_key":"capec_00808","_id":"capec/capec_00808","_rev":"_dVyyXDm--X","original_id":"256","datatype":"capec","name":"SOAP Array Overflow","metadata":{"description":"","short_description":"An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array."}},{"_key":"capec_00809","_id":"capec/capec_00809","_rev":"_dVyyXDm--Y","original_id":"261","datatype":"capec","name":"Fuzzing for garnering other adjacent user/sensitive data","metadata":{"description":"","short_description":"An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide. Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. If the server does not verify that the query matches one of the expected templates, an adversary who is allowed to send normal queries could modify their query to try to return additional information. The adversary may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation."}},{"_key":"capec_00810","_id":"capec/capec_00810","_rev":"_dVyyXDm--Z","original_id":"263","datatype":"capec","name":"Force Use of Corrupted Files","metadata":{"description":"","short_description":"This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible."}},{"_key":"capec_00811","_id":"capec/capec_00811","_rev":"_dVyyXDm--a","original_id":"267","datatype":"capec","name":"Leverage Alternate Encoding","metadata":{"description":"","short_description":"An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard."}},{"_key":"capec_00812","_id":"capec/capec_00812","_rev":"_dVyyXDm--b","original_id":"268","datatype":"capec","name":"Audit Log Manipulation","metadata":{"description":"","short_description":"The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions."}},{"_key":"capec_00813","_id":"capec/capec_00813","_rev":"_dVyyXDm--c","original_id":"270","datatype":"capec","name":"Modification of Registry Run Keys","metadata":{"description":"","short_description":"An adversary adds a new entry to the \"run keys\" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger."}},{"_key":"capec_00814","_id":"capec/capec_00814","_rev":"_dVyyXDm--d","original_id":"271","datatype":"capec","name":"Schema Poisoning","metadata":{"description":"","short_description":"An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data."}},{"_key":"capec_00815","_id":"capec/capec_00815","_rev":"_dVyyXDm--e","original_id":"272","datatype":"capec","name":"Protocol Manipulation","metadata":{"description":"","short_description":"An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself."}},{"_key":"capec_00816","_id":"capec/capec_00816","_rev":"_dVyyXDm--f","original_id":"273","datatype":"capec","name":"HTTP Response Smuggling","metadata":{"description":"\n            ","short_description":"\n            "}},{"_key":"capec_00817","_id":"capec/capec_00817","_rev":"_dVyyXDm--g","original_id":"274","datatype":"capec","name":"HTTP Verb Tampering","metadata":{"description":"","short_description":"An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected."}},{"_key":"capec_00818","_id":"capec/capec_00818","_rev":"_dVyyXDm--h","original_id":"275","datatype":"capec","name":"DNS Rebinding","metadata":{"description":"","short_description":"An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary. Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. This allows adversaries to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the adversary identifies, additional attacks are possible. This attack differs from pharming attacks in that the adversary is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services."}},{"_key":"capec_00819","_id":"capec/capec_00819","_rev":"_dVyyXDm--i","original_id":"276","datatype":"capec","name":"Inter-component Protocol Manipulation","metadata":{"description":"","short_description":"Inter-component protocols are used to communicate between different software and hardware modules within a single computer. Common examples are: interrupt signals and data pipes. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself."}},{"_key":"capec_00820","_id":"capec/capec_00820","_rev":"_dVyyXDm--j","original_id":"277","datatype":"capec","name":"Data Interchange Protocol Manipulation","metadata":{"description":"","short_description":"Data Interchange Protocols are used to transmit structured data between entities. These protocols are often specific to a particular domain (B2B: purchase orders, invoices, transport logistics and waybills, medical records). They are often, but not always, XML-based. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself."}},{"_key":"capec_00821","_id":"capec/capec_00821","_rev":"_dVyyXDm--k","original_id":"278","datatype":"capec","name":"Web Services Protocol Manipulation","metadata":{"description":"","short_description":"An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash."}},{"_key":"capec_00822","_id":"capec/capec_00822","_rev":"_dVyyXDm--l","original_id":"279","datatype":"capec","name":"SOAP Manipulation","metadata":{"description":"","short_description":"Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks."}},{"_key":"capec_00823","_id":"capec/capec_00823","_rev":"_dVyyXDm--m","original_id":"285","datatype":"capec","name":"ICMP Echo Request Ping","metadata":{"description":"","short_description":"An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss. Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the adversary is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An adversary can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc."}},{"_key":"capec_00824","_id":"capec/capec_00824","_rev":"_dVyyXDm--n","original_id":"287","datatype":"capec","name":"TCP SYN Scan","metadata":{"description":"","short_description":"An adversary uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its many advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method, the primary advantages of SYN scanning are its universality and speed. RFC 793 defines the required behavior of any TCP/IP device in that an incoming connection request begins with a SYN packet, which in turn must be followed by a SYN/ACK packet from the receiving service. For this reason, like TCP Connect scanning, SYN scanning works against any TCP stack. Unlike TCP Connect scanning, it is possible to scan thousands of ports per second using this method. This type of scanning is usually referred to as 'half-open' scanning because it does not complete the three-way handshake. The scanning rate is extremely fast because no time is wasted completing the handshake or tearing down the connection. This technique allows an attacker to scan through stateful firewalls due to the common configuration that TCP SYN segments for a new connection will be allowed for almost any port. TCP SYN scanning can also immediately detect 3 of the 4 important types of port status: open, closed, and filtered."}},{"_key":"capec_00825","_id":"capec/capec_00825","_rev":"_dVyyXDm--o","original_id":"290","datatype":"capec","name":"Enumerate Mail Exchange (MX) Records","metadata":{"description":"","short_description":"An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible."}},{"_key":"capec_00826","_id":"capec/capec_00826","_rev":"_dVyyXDm--p","original_id":"291","datatype":"capec","name":"DNS Zone Transfers","metadata":{"description":"","short_description":"An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP address and valid hostnames. Under certain conditions, it may even be possible to obtain Zone data about the organization's internal network. When successful the attacker learns valuable information about the topology of the target organization, including information about particular servers, their role within the IT structure, and possibly information about the operating systems running upon the network. This is configuration dependent behavior so it may also be required to search out multiple DNS servers while attempting to find one with ZONE transfers allowed."}},{"_key":"capec_00827","_id":"capec/capec_00827","_rev":"_dVyyXDm--q","original_id":"292","datatype":"capec","name":"Host Discovery","metadata":{"description":"","short_description":"An adversary sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. The adversary usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep,' where a particular kind of ping is sent to a range of IP addresses."}},{"_key":"capec_00828","_id":"capec/capec_00828","_rev":"_dVyyXDm--r","original_id":"293","datatype":"capec","name":"Traceroute Route Enumeration","metadata":{"description":"","short_description":"An adversary uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can allow the adversary to construct a working topology of systems and routers by listing the systems through which data passes through on their way to the targeted machine. This attack can return varied results depending upon the type of traceroute that is performed. Traceroute works by sending packets to a target while incrementing the Time-to-Live field in the packet header. As the packet traverses each hop along its way to the destination, its TTL expires generating an ICMP diagnostic message that identifies where the packet expired. Traditional techniques for tracerouting involved the use of ICMP and UDP, but as more firewalls began to filter ingress ICMP, methods of traceroute using TCP were developed."}},{"_key":"capec_00829","_id":"capec/capec_00829","_rev":"_dVyyXDm--s","original_id":"294","datatype":"capec","name":"ICMP Address Mask Request","metadata":{"description":"","short_description":"An adversary sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration. ICMP Address Mask Requests are defined by RFC-950, \"Internet Standard Subnetting Procedure.\" An Address Mask Request is an ICMP type 17 message that triggers a remote system to respond with a list of its related subnets, as well as its default gateway and broadcast address via an ICMP type 18 Address Mask Reply datagram. Gathering this type of information helps the adversary plan router-based attacks as well as denial-of-service attacks against the broadcast address. Many modern operating systems will not respond to ICMP type 17 messages for security reasons. Determining whether a system or router will respond to an ICMP Address Mask Request helps the adversary determine operating system or firmware version. Additionally, because these types of messages are rare, they are easily spotted by intrusion detection systems. Many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 17 and egress ICMP type 18 messages."}},{"_key":"capec_00830","_id":"capec/capec_00830","_rev":"_dVyyXDm--t","original_id":"295","datatype":"capec","name":"Timestamp Request","metadata":{"description":"","short_description":"This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms."}},{"_key":"capec_00831","_id":"capec/capec_00831","_rev":"_dVyyXDm--u","original_id":"296","datatype":"capec","name":"ICMP Information Request","metadata":{"description":"","short_description":"An adversary sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism. ICMP Information Requests are a deprecated message type. Information Requests were originally used for diskless machines to automatically obtain their network configuration, but this message type has been superseded by more robust protocol implementations like DHCP."}},{"_key":"capec_00832","_id":"capec/capec_00832","_rev":"_dVyyXDm--v","original_id":"297","datatype":"capec","name":"TCP ACK Ping","metadata":{"description":"","short_description":"An adversary sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, the adversary can identify that the host is alive by looking for a RST packet. Typically, a remote server will respond with a RST regardless of whether a port is open or closed. In this way, TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping can be used to discover if a host is alive via RST response packets sent from the host."}},{"_key":"capec_00833","_id":"capec/capec_00833","_rev":"_dVyyXDm--w","original_id":"298","datatype":"capec","name":"UDP Ping","metadata":{"description":"","short_description":"An adversary sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an 'ICMP port unreachable' message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts."}},{"_key":"capec_00834","_id":"capec/capec_00834","_rev":"_dVyyXDm--x","original_id":"299","datatype":"capec","name":"TCP SYN Ping","metadata":{"description":"","short_description":"An adversary uses TCP SYN packets as a means towards host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN \"synchronize\" packet by completing stage two of the 'three-way handshake' - by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST \"reset\" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response. Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present, SYN pings are preferable to ACK pings because a stateful firewall will typically drop all unsolicited ACK packets as they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. Often, an adversary will alternate between SYN and ACK pings to discover if a host is alive."}},{"_key":"capec_00835","_id":"capec/capec_00835","_rev":"_dVyyXDm--y","original_id":"300","datatype":"capec","name":"Port Scanning","metadata":{"description":"","short_description":"An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration. Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host."}},{"_key":"capec_00836","_id":"capec/capec_00836","_rev":"_dVyyXDm--z","original_id":"301","datatype":"capec","name":"TCP Connect Scan","metadata":{"description":"","short_description":"An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming (performing a full TCP connect scan against a host can take multiple days). Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports."}},{"_key":"capec_00837","_id":"capec/capec_00837","_rev":"_dVyyXDm--0","original_id":"302","datatype":"capec","name":"TCP FIN Scan","metadata":{"description":"","short_description":"An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. In addition to its relative speed in comparison with other types of scans, the major advantage a TCP FIN Scan is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. FIN packets, like out-of-state ACK packets, tend to pass through such devices undetected. FIN scanning is still relatively stealthy as the packets tend to blend in with the background noise on a network link."}},{"_key":"capec_00838","_id":"capec/capec_00838","_rev":"_dVyyXDm--1","original_id":"303","datatype":"capec","name":"TCP Xmas Scan","metadata":{"description":"","short_description":"An adversary uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with all possible flags set in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. In addition to its relative speed when compared with other types of scans, its major advantage is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. XMAS packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, XMAS scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, XMAS scans are flagged by almost all intrusion prevention or intrusion detection systems."}},{"_key":"capec_00839","_id":"capec/capec_00839","_rev":"_dVyyXDm--2","original_id":"304","datatype":"capec","name":"TCP Null Scan","metadata":{"description":"","short_description":"An adversary uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. In addition to being fast, the major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, NULL scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, NULL scans are flagged by almost all intrusion prevention or intrusion detection systems."}},{"_key":"capec_00840","_id":"capec/capec_00840","_rev":"_dVyyXDm--3","original_id":"305","datatype":"capec","name":"TCP ACK Scan","metadata":{"description":"","short_description":"An adversary uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover information about filter configurations rather than port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, gives a more complete picture of the type of firewall rules that are present. When a TCP ACK segment is sent to a closed port, or sent out-of-sync to a listening port, the RFC 793 expected behavior is for the device to respond with a RST. Getting RSTs back in response to a ACK scan gives the attacker useful information that can be used to infer the type of firewall present. Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs the port is marked as filtered. When RSTs are received in response, the ports are marked as unfiltered, as the ACK packets solicited the expected behavior from a port. When combined with SYN techniques an attacker can gain a more complete picture of which types of packets get through to a host and thereby map out its firewall rule-set. ACK scanning, when combined with SYN scanning, also allows the adversary to analyze whether a firewall is stateful or non-stateful (described in notes). TCP ACK Scans are somewhat faster and more stealthy than other types of scans but often requires rather sophisticated analysis by an experienced person. A skilled adversary may use this method to map out firewall rules, but the results of ACK scanning will be less useful to a novice."}},{"_key":"capec_00841","_id":"capec/capec_00841","_rev":"_dVyyXDm--4","original_id":"306","datatype":"capec","name":"TCP Window Scan","metadata":{"description":"","short_description":"An adversary engages in TCP Window scanning to analyze port status and operating system type. TCP Window scanning uses the ACK scanning method but examine the TCP Window Size field of response RST packets to make certain inferences. While TCP Window Scans are fast and relatively stealthy, they work against fewer TCP stack implementations than any other type of scan. Some operating systems return a positive TCP window size when a RST packet is sent from an open port, and a negative value when the RST originates from a closed port. TCP Window scanning is one of the most complex scan types, and its results are difficult to interpret. Window scanning alone rarely yields useful information, but when combined with other types of scanning is more useful. It is a generally more reliable means of making inference about operating system versions than port status."}},{"_key":"capec_00842","_id":"capec/capec_00842","_rev":"_dVyyXDm--5","original_id":"307","datatype":"capec","name":"TCP RPC Scan","metadata":{"description":"","short_description":"An adversary scans for RPC services listing on a Unix/Linux host. This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port. Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types, are easily detected by IPS/IDS systems, and can only detect open ports when an RPC service responds. ICMP diagnostic message responses can help identify closed ports, however filtered and unfiltered ports cannot be identified through TCP RPC scans. There are two general approaches to RPC scanning: One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly. Discovering RPC services gives the attacker potential targets to attack, as some RPC services are insecure by default."}},{"_key":"capec_00843","_id":"capec/capec_00843","_rev":"_dVyyXDm--6","original_id":"308","datatype":"capec","name":"UDP Scan","metadata":{"description":"","short_description":"An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port. During a UDP scan, a datagram is sent to a target port. If an 'ICMP Type 3 Port unreachable' error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port. UDP scanning is slower than TCP scanning. The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning."}},{"_key":"capec_00844","_id":"capec/capec_00844","_rev":"_dVyyXDm--7","original_id":"309","datatype":"capec","name":"Network Topology Mapping","metadata":{"description":"","short_description":"An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute."}},{"_key":"capec_00845","_id":"capec/capec_00845","_rev":"_dVyyXDm--8","original_id":"310","datatype":"capec","name":"Scanning for Vulnerable Software","metadata":{"description":"","short_description":"An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services. Vulnerable or exploitable network configurations, such as improperly firewalled systems, or misconfigured systems in the DMZ or external network, provide windows of opportunity for an attacker. Common types of vulnerable software include unpatched operating systems or services (e.g FTP, Telnet, SMTP, SNMP) running on open ports that the attacker has identified. Attackers usually begin probing for vulnerable software once the external network has been port scanned and potential targets have been revealed."}},{"_key":"capec_00846","_id":"capec/capec_00846","_rev":"_dVyyXDm--9","original_id":"312","datatype":"capec","name":"Active OS Fingerprinting","metadata":{"description":"","short_description":"An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions."}},{"_key":"capec_00847","_id":"capec/capec_00847","_rev":"_dVyyXDm-_-","original_id":"313","datatype":"capec","name":"Passive OS Fingerprinting","metadata":{"description":"","short_description":"An adversary engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods, it is generally better able to evade detection."}},{"_key":"capec_00848","_id":"capec/capec_00848","_rev":"_dVyyXDm-__","original_id":"317","datatype":"capec","name":"IP ID Sequencing Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis - IP 'ID' Sequencing: analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host and Shared IP 'ID' Sequencing: analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP."}},{"_key":"capec_00849","_id":"capec/capec_00849","_rev":"_dVyyXDm-_A","original_id":"318","datatype":"capec","name":"IP 'ID' Echoed Byte-Order Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP datagram with an arbitrary IP 'ID' value to a closed port on the remote host to observe the manner in which this bit is echoed back in the ICMP error message. The identification field (ID) is typically utilized for reassembling a fragmented packet. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within an ICMP error message."}},{"_key":"capec_00850","_id":"capec/capec_00850","_rev":"_dVyyXDm-_B","original_id":"319","datatype":"capec","name":"IP (DF) 'Don't Fragment Bit' Echoing Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet. An attacker sends a UDP datagram with the DF bit set to a closed port on the remote host to observe whether the 'DF' bit is set in the response packet. Some operating systems will echo the bit in the ICMP error message while others will zero out the bit in the response packet."}},{"_key":"capec_00851","_id":"capec/capec_00851","_rev":"_dVyyXDm-_C","original_id":"320","datatype":"capec","name":"TCP Timestamp Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header."}},{"_key":"capec_00852","_id":"capec/capec_00852","_rev":"_dVyyXDm-_D","original_id":"321","datatype":"capec","name":"TCP Sequence Number Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1) the Sequence Number generated by the target is Zero, 2) the Sequence Number generated by the target is the same as the acknowledgement number in the probe, 3) the Sequence Number generated by the target is the acknowledgement number plus one, or 4) the Sequence Number is any other non-zero number."}},{"_key":"capec_00853","_id":"capec/capec_00853","_rev":"_dVyyXDm-_E","original_id":"322","datatype":"capec","name":"TCP (ISN) Greatest Common Divisor Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version."}},{"_key":"capec_00854","_id":"capec/capec_00854","_rev":"_dVyyXDm-_F","original_id":"323","datatype":"capec","name":"TCP (ISN) Counter Rate Probe","metadata":{"description":"","short_description":"This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches."}},{"_key":"capec_00855","_id":"capec/capec_00855","_rev":"_dVyyXDm-_G","original_id":"324","datatype":"capec","name":"TCP (ISN) Sequence Predictability Probe","metadata":{"description":"","short_description":"This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version."}},{"_key":"capec_00856","_id":"capec/capec_00856","_rev":"_dVyyXDm-_H","original_id":"325","datatype":"capec","name":"TCP Congestion Control Flag (ECN) Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types."}},{"_key":"capec_00857","_id":"capec/capec_00857","_rev":"_dVyyXDm-_I","original_id":"326","datatype":"capec","name":"TCP Initial Window Size Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the \"connected\" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection."}},{"_key":"capec_00858","_id":"capec/capec_00858","_rev":"_dVyyXDm-_J","original_id":"327","datatype":"capec","name":"TCP Options Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic."}},{"_key":"capec_00859","_id":"capec/capec_00859","_rev":"_dVyyXDm-_K","original_id":"328","datatype":"capec","name":"TCP 'RST' Flag Checksum Probe","metadata":{"description":"","short_description":"This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality."}},{"_key":"capec_00860","_id":"capec/capec_00860","_rev":"_dVyyXDm-_L","original_id":"329","datatype":"capec","name":"ICMP Error Message Quoting Probe","metadata":{"description":"","short_description":"An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or \"Quoted\" from the originating request that generated the ICMP error message. For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply. This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: \"Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...].\" This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because \"older\" or \"legacy\" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data."}},{"_key":"capec_00861","_id":"capec/capec_00861","_rev":"_dVyyXDm-_M","original_id":"330","datatype":"capec","name":"ICMP Error Message Echoing Integrity Probe","metadata":{"description":"","short_description":"An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or \"Quoted\" from the originating request that generated the error message. For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value. A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version."}},{"_key":"capec_00862","_id":"capec/capec_00862","_rev":"_dVyyXDm-_N","original_id":"331","datatype":"capec","name":"ICMP IP Total Length Field Probe","metadata":{"description":"","short_description":"An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable\" error message. RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart: 1) the IP total length field may be calculated correctly, 2) an operating system may add 20 or more additional bytes to the length calculation, 3) the operating system may subtract 20 or more bytes from the correct length of the field or 4) the IP total length field is calculated with any other incorrect value. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses."}},{"_key":"capec_00863","_id":"capec/capec_00863","_rev":"_dVyyXDm-_O","original_id":"332","datatype":"capec","name":"ICMP IP 'ID' Field Error Message Probe","metadata":{"description":"","short_description":"An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are three behaviors related to the IP ID field that can be used to distinguish remote operating systems or firmware: 1) it is echoed back identically to the bit order of the ID field in the original IP header, 2) it is echoed back, but the byte order has been reversed, or it contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging. This allows the attacker to construct a fingerprint of specific OS behaviors."}},{"_key":"capec_00864","_id":"capec/capec_00864","_rev":"_dVyyXDm-_P","original_id":"383","datatype":"capec","name":"Harvesting Information via API Event Monitoring","metadata":{"description":"","short_description":"An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a \"virtual sale\" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script."}},{"_key":"capec_00865","_id":"capec/capec_00865","_rev":"_dVyyXDq---","original_id":"384","datatype":"capec","name":"Application API Message Manipulation via Man-in-the-Middle","metadata":{"description":"","short_description":"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true \"Adversary-in-the-Middle\" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client."}},{"_key":"capec_00866","_id":"capec/capec_00866","_rev":"_dVyyXDq--_","original_id":"385","datatype":"capec","name":"Transaction or Event Tampering via Application API Manipulation","metadata":{"description":"","short_description":"An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process."}},{"_key":"capec_00867","_id":"capec/capec_00867","_rev":"_dVyyXDq--A","original_id":"386","datatype":"capec","name":"Application API Navigation Remapping","metadata":{"description":"","short_description":"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud."}},{"_key":"capec_00868","_id":"capec/capec_00868","_rev":"_dVyyXDq--B","original_id":"387","datatype":"capec","name":"Navigation Remapping To Propagate Malicious Content","metadata":{"description":"","short_description":"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system in order to change the destination of various application interface elements."}},{"_key":"capec_00869","_id":"capec/capec_00869","_rev":"_dVyyXDq--C","original_id":"388","datatype":"capec","name":"Application API Button Hijacking","metadata":{"description":"","short_description":"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination."}},{"_key":"capec_00870","_id":"capec/capec_00870","_rev":"_dVyyXDq--D","original_id":"389","datatype":"capec","name":"Content Spoofing Via Application API Manipulation","metadata":{"description":"","short_description":"An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system."}},{"_key":"capec_00871","_id":"capec/capec_00871","_rev":"_dVyyXDq--E","original_id":"390","datatype":"capec","name":"Bypassing Physical Security","metadata":{"description":"","short_description":"Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points."}},{"_key":"capec_00872","_id":"capec/capec_00872","_rev":"_dVyyXDq--F","original_id":"391","datatype":"capec","name":"Bypassing Physical Locks","metadata":{"description":"","short_description":"An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures."}},{"_key":"capec_00873","_id":"capec/capec_00873","_rev":"_dVyyXDq--G","original_id":"392","datatype":"capec","name":"Lock Bumping","metadata":{"description":"","short_description":"An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened."}},{"_key":"capec_00874","_id":"capec/capec_00874","_rev":"_dVyyXDq--H","original_id":"393","datatype":"capec","name":"Lock Picking","metadata":{"description":"","short_description":"An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick)."}},{"_key":"capec_00875","_id":"capec/capec_00875","_rev":"_dVyyXDq--I","original_id":"394","datatype":"capec","name":"Using a Snap Gun Lock to Force a Lock","metadata":{"description":"","short_description":"An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with."}},{"_key":"capec_00876","_id":"capec/capec_00876","_rev":"_dVyyXDq--J","original_id":"395","datatype":"capec","name":"Bypassing Electronic Locks and Access Controls","metadata":{"description":"","short_description":"An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms."}},{"_key":"capec_00877","_id":"capec/capec_00877","_rev":"_dVyyXDq--K","original_id":"397","datatype":"capec","name":"Cloning Magnetic Strip Cards","metadata":{"description":"","short_description":"An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original."}},{"_key":"capec_00878","_id":"capec/capec_00878","_rev":"_dVyyXDq--L","original_id":"398","datatype":"capec","name":"Magnetic Strip Card Brute Force Attacks","metadata":{"description":"","short_description":"An attacker analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals. Often, magnetic strip encoding methods follow a common format for a given system laid out in up to three tracks. A single card may allow access to a corporate office complex shared by multiple companies. By analyzing how the data is stored on a card, it is also possible to create valid cards via brute-force attacks. For example, a single card can grant access to a building, a floor, and a suite number. Reading and analyzing data on multiple cards, then performing a difference analysis between data encoded on three different cards, can reveal clues as to how to generate valid cards that grant access to restricted areas of a building or suites/rooms within that building. Data stored on magstripe cards is often unencrypted, therefore comparing which data changes when two or more cards are analyzed can yield results that aid in determining the structure of the card data. A trivial example would be a common system data format on a data track which binary encodes the suite number of a building that a card will open. By creating multiple cards with differing binary encoded segments it becomes possible to enter unauthorized areas or pass through checkpoints giving the electronic ID of other persons."}},{"_key":"capec_00879","_id":"capec/capec_00879","_rev":"_dVyyXDq--M","original_id":"399","datatype":"capec","name":"Cloning RFID Cards or Chips","metadata":{"description":"","short_description":"An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse. RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification."}},{"_key":"capec_00880","_id":"capec/capec_00880","_rev":"_dVyyXDq--N","original_id":"400","datatype":"capec","name":"RFID Chip Deactivation or Destruction","metadata":{"description":"","short_description":"An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it. When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range."}},{"_key":"capec_00881","_id":"capec/capec_00881","_rev":"_dVyyXDq--O","original_id":"401","datatype":"capec","name":"Physically Hacking Hardware","metadata":{"description":"","short_description":"An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack."}},{"_key":"capec_00882","_id":"capec/capec_00882","_rev":"_dVyyXDq--P","original_id":"402","datatype":"capec","name":"Bypassing ATA Password Security","metadata":{"description":"","short_description":"An attacker exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password."}},{"_key":"capec_00883","_id":"capec/capec_00883","_rev":"_dVyyXDq--Q","original_id":"406","datatype":"capec","name":"Dumpster Diving","metadata":{"description":"","short_description":"An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more. By collecting this information an adversary may be able to learn important facts about the person or organization that play a role in helping the adversary in their attack."}},{"_key":"capec_00884","_id":"capec/capec_00884","_rev":"_dVyyXDq--R","original_id":"407","datatype":"capec","name":"Pretexting","metadata":{"description":"","short_description":"An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems. Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on."}},{"_key":"capec_00885","_id":"capec/capec_00885","_rev":"_dVyyXDq--S","original_id":"410","datatype":"capec","name":"Information Elicitation","metadata":{"description":"","short_description":"An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks."}},{"_key":"capec_00886","_id":"capec/capec_00886","_rev":"_dVyyXDq--T","original_id":"412","datatype":"capec","name":"Pretexting via Customer Service","metadata":{"description":"","short_description":"An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number."}},{"_key":"capec_00887","_id":"capec/capec_00887","_rev":"_dVyyXDq--U","original_id":"413","datatype":"capec","name":"Pretexting via Tech Support","metadata":{"description":"","short_description":"An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. An adversary who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an adversary physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email."}},{"_key":"capec_00888","_id":"capec/capec_00888","_rev":"_dVyyXDq--V","original_id":"414","datatype":"capec","name":"Pretexting via Delivery Person","metadata":{"description":"","short_description":"An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and \"deliveries\" in order to be able to pull it off."}},{"_key":"capec_00889","_id":"capec/capec_00889","_rev":"_dVyyXDq--W","original_id":"415","datatype":"capec","name":"Pretexting via Phone","metadata":{"description":"","short_description":"An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel."}},{"_key":"capec_00890","_id":"capec/capec_00890","_rev":"_dVyyXDq--X","original_id":"416","datatype":"capec","name":"Manipulate Human Behavior","metadata":{"description":"","short_description":"An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the adversary's interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled adversary uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the adversary's speech and thought patterns."}},{"_key":"capec_00891","_id":"capec/capec_00891","_rev":"_dVyyXDq--Y","original_id":"417","datatype":"capec","name":"Influence Perception","metadata":{"description":"","short_description":"The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves. This goal is to persuade the target to unknowingly perform an action or divulge information that is advantageous to the adversary."}},{"_key":"capec_00892","_id":"capec/capec_00892","_rev":"_dVyyXDq--Z","original_id":"418","datatype":"capec","name":"Influence Perception of Reciprocation","metadata":{"description":"","short_description":"An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily."}},{"_key":"capec_00893","_id":"capec/capec_00893","_rev":"_dVyyXDq--a","original_id":"420","datatype":"capec","name":"Influence Perception of Scarcity","metadata":{"description":"","short_description":"The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adversary. By conveying a perception of scarcity, or a situation of limited supply, the adversary aims to create a sense of urgency in the context of a target's decision-making process."}},{"_key":"capec_00894","_id":"capec/capec_00894","_rev":"_dVyyXDq--b","original_id":"421","datatype":"capec","name":"Influence Perception of Authority","metadata":{"description":"","short_description":"An adversary uses a social engineering technique to convey a sense of authority that motivates the target to reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization, an adversary may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the adversary."}},{"_key":"capec_00895","_id":"capec/capec_00895","_rev":"_dVyyXDq--c","original_id":"422","datatype":"capec","name":"Influence Perception of Commitment and Consistency","metadata":{"description":"","short_description":"An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions. After complying with a request, individuals are more likely to agree to subsequent requests that are similar in type and required effort."}},{"_key":"capec_00896","_id":"capec/capec_00896","_rev":"_dVyyXDq--d","original_id":"423","datatype":"capec","name":"Influence Perception of Liking","metadata":{"description":"","short_description":"The adversary influences the target's actions by building a relationship where the target has a liking to the adversary. People are more likely to be influenced by people of whom they are fond, so the adversary attempts to ingratiate themself with the target via actions, appearance, or a combination thereof."}},{"_key":"capec_00897","_id":"capec/capec_00897","_rev":"_dVyyXDq--e","original_id":"424","datatype":"capec","name":"Influence Perception of Consensus or Social Proof","metadata":{"description":"","short_description":"The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate. In situations of uncertainty, people tend to behave in ways they see others behaving. The adversary convinces the target of adopting behavior or actions that is advantageous to the adversary."}},{"_key":"capec_00898","_id":"capec/capec_00898","_rev":"_dVyyXDq--f","original_id":"425","datatype":"capec","name":"Target Influence via Framing","metadata":{"description":"","short_description":"An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the adversary's perspective. One technique of framing is to avoid the use of the word \"No\" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the adversary."}},{"_key":"capec_00899","_id":"capec/capec_00899","_rev":"_dVyyXDq--g","original_id":"426","datatype":"capec","name":"Influence via Incentives","metadata":{"description":"","short_description":"The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ideological incentivization. Examples include monetary fraud, peer pressure, and preying on the target's morals or ethics. The most effective incentive against one target might not be as effective against another, therefore the adversary must gather information about the target's vulnerability to particular incentives."}},{"_key":"capec_00900","_id":"capec/capec_00900","_rev":"_dVyyXDq--h","original_id":"427","datatype":"capec","name":"Influence via Psychological Principles","metadata":{"description":"","short_description":"The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and social psychology. In a variety of ways, a target can be influenced to behave or perform an action through capitalizing on what scholarship and research has learned about how and why humans react to specific scenarios and cues."}},{"_key":"capec_00901","_id":"capec/capec_00901","_rev":"_dVyyXDq--i","original_id":"428","datatype":"capec","name":"Influence via Modes of Thinking","metadata":{"description":"","short_description":"The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the adversary has adapted their communication forms to match those of the target. When skillfully employed, the target is likely to be unaware that they are being manipulated."}},{"_key":"capec_00902","_id":"capec/capec_00902","_rev":"_dVyyXDq--j","original_id":"429","datatype":"capec","name":"Target Influence via Eye Cues","metadata":{"description":"","short_description":"The adversary gains information via non-verbal means from the target through eye movements."}},{"_key":"capec_00903","_id":"capec/capec_00903","_rev":"_dVyyXDq--k","original_id":"433","datatype":"capec","name":"Target Influence via The Human Buffer Overflow","metadata":{"description":"","short_description":"An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message. The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human \"buffer overflow\" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving."}},{"_key":"capec_00904","_id":"capec/capec_00904","_rev":"_dVyyXDq--l","original_id":"434","datatype":"capec","name":"Target Influence via Interview and Interrogation","metadata":{"description":"","short_description":""}},{"_key":"capec_00905","_id":"capec/capec_00905","_rev":"_dVyyXDq--m","original_id":"435","datatype":"capec","name":"Target Influence via Instant Rapport","metadata":{"description":"","short_description":""}},{"_key":"capec_00906","_id":"capec/capec_00906","_rev":"_dVyyXDq--n","original_id":"438","datatype":"capec","name":"Modification During Manufacture","metadata":{"description":"","short_description":"An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality."}},{"_key":"capec_00907","_id":"capec/capec_00907","_rev":"_dVyyXDq--o","original_id":"439","datatype":"capec","name":"Manipulation During Distribution","metadata":{"description":"","short_description":"An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging."}},{"_key":"capec_00908","_id":"capec/capec_00908","_rev":"_dVyyXDq--p","original_id":"440","datatype":"capec","name":"Hardware Integrity Attack","metadata":{"description":"","short_description":"An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack."}},{"_key":"capec_00909","_id":"capec/capec_00909","_rev":"_dVyyXDq--q","original_id":"441","datatype":"capec","name":"Malicious Logic Insertion","metadata":{"description":"","short_description":"An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain."}},{"_key":"capec_00910","_id":"capec/capec_00910","_rev":"_dVyyXDq--r","original_id":"442","datatype":"capec","name":"Infected Software","metadata":{"description":"","short_description":"An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain."}},{"_key":"capec_00911","_id":"capec/capec_00911","_rev":"_dVyyXDq--s","original_id":"443","datatype":"capec","name":"Malicious Logic Inserted Into Product Software by Authorized Developer","metadata":{"description":"","short_description":"An adversary uses their privileged position within an authorized software development organization to inject malicious logic into a codebase or product. Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In other cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries."}},{"_key":"capec_00912","_id":"capec/capec_00912","_rev":"_dVyyXDq--t","original_id":"444","datatype":"capec","name":"Development Alteration","metadata":{"description":"","short_description":"An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time."}},{"_key":"capec_00913","_id":"capec/capec_00913","_rev":"_dVyyXDq--u","original_id":"445","datatype":"capec","name":"Malicious Logic Insertion into Product Software via Configuration Management Manipulation","metadata":{"description":"","short_description":"An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server. Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an adversary who has compromised the server can alter the software baseline that clients must install, allowing the adversary to compromise a large number of satellite machines using the configuration management system. If an adversary can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place."}},{"_key":"capec_00914","_id":"capec/capec_00914","_rev":"_dVyyXDq--v","original_id":"446","datatype":"capec","name":"Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency","metadata":{"description":"","short_description":"An adversary conducts supply chain attacks by the inclusion of insecure 3rd party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer. The result is a window of opportunity for exploiting the product or software until the insecure component is discovered. This supply chain threat can result in the installation of software that introduces widespread security vulnerabilities within an organization. One example could be the inclusion of an exploitable DLL (Dynamic Link Library) included within an antivirus technology. Because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing COTS software that comes pre-packaged with the components required for it to operate."}},{"_key":"capec_00915","_id":"capec/capec_00915","_rev":"_dVyyXDq--w","original_id":"447","datatype":"capec","name":"Design Alteration","metadata":{"description":"","short_description":"An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time."}},{"_key":"capec_00916","_id":"capec/capec_00916","_rev":"_dVyyXDq--x","original_id":"448","datatype":"capec","name":"Embed Virus into DLL","metadata":{"description":"","short_description":"An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop."}},{"_key":"capec_00917","_id":"capec/capec_00917","_rev":"_dVyyXDq--y","original_id":"452","datatype":"capec","name":"Infected Hardware","metadata":{"description":"","short_description":"An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user of the hardware and works behind the scenes to achieve negative impacts. This pattern of attack focuses on hardware already fielded and used in operation as opposed to hardware that is still under development and part of the supply chain."}},{"_key":"capec_00918","_id":"capec/capec_00918","_rev":"_dVyyXDq--z","original_id":"456","datatype":"capec","name":"Infected Memory","metadata":{"description":"","short_description":"An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain."}},{"_key":"capec_00919","_id":"capec/capec_00919","_rev":"_dVyyXDq--0","original_id":"457","datatype":"capec","name":"USB Memory Attacks","metadata":{"description":"","short_description":"An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks."}},{"_key":"capec_00920","_id":"capec/capec_00920","_rev":"_dVyyXDq--1","original_id":"458","datatype":"capec","name":"Flash Memory Attacks","metadata":{"description":"","short_description":"An attacker inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device. Such attacks are very difficult to detect because the malicious code resides outside the filesystem or RAM, and in the underlying byte-code that drives the processor. Many devices, such as the recent attacks against digital picture frames, contain only a microprocessor and a small amount of solid-state memory, rendering these devices ideal for \"flash\" based malware or malicious logic. One of the pernicious characteristics of flash memory based attacks is that the malicious code can survive even a total format of the hard-drive and reinstallation of the host operating system. Virtually any device which can be integrated into a computer system is susceptible to these attacks. Additionally, any peripheral device which interfaces with the computer bus could extract or sniff confidential data, even on systems employing full-disk encryption. Trojan code placed into a video card's chipset would continue to perform its function irrespective of the host operating system, and would be invisible to all known antivirus. The threats extend to consumer products such as camcorders, digital cameras, or any consumer electronic device with an embedded microcontroller."}},{"_key":"capec_00921","_id":"capec/capec_00921","_rev":"_dVyyXDq--2","original_id":"459","datatype":"capec","name":"Creating a Rogue Certification Authority Certificate","metadata":{"description":"","short_description":"An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their \"to be signed\" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec)."}},{"_key":"capec_00922","_id":"capec/capec_00922","_rev":"_dVyyXDq--3","original_id":"460","datatype":"capec","name":"HTTP Parameter Pollution (HPP)","metadata":{"description":"","short_description":"An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules."}},{"_key":"capec_00923","_id":"capec/capec_00923","_rev":"_dVyyXDq--4","original_id":"461","datatype":"capec","name":"Web Services API Signature Forgery Leveraging Hash Function Extension Weakness","metadata":{"description":"","short_description":"When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash (as described in the notes). Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1."}},{"_key":"capec_00924","_id":"capec/capec_00924","_rev":"_dVyyXDq--5","original_id":"462","datatype":"capec","name":"Cross-Domain Search Timing","metadata":{"description":"","short_description":"An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain. For GET requests an attacker could for instance leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events. For the POST requests, an attacker could leverage the \"iframe\" element and leverage the \"onload()\" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information."}},{"_key":"capec_00925","_id":"capec/capec_00925","_rev":"_dVyyXDq--6","original_id":"463","datatype":"capec","name":"Padding Oracle Crypto Attack","metadata":{"description":"","short_description":"An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the adversary. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the adversary whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the adversary to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an adversary is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating."}},{"_key":"capec_00926","_id":"capec/capec_00926","_rev":"_dVyyXDq--7","original_id":"464","datatype":"capec","name":"Evercookie","metadata":{"description":"","short_description":"An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places to include: Standard HTTP Cookies, Local Shared Objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force-cached, PNGs using HTML5 Canvas tag to read pixels (cookies) back out, Storing cookies in Web History, Storing cookies in HTTP ETags, Storing cookies in Web cache, window.name caching, Internet Explorer userData storage, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, HTML5 Database Storage via SQLite, among others. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers."}},{"_key":"capec_00927","_id":"capec/capec_00927","_rev":"_dVyyXDq--8","original_id":"465","datatype":"capec","name":"Transparent Proxy Abuse","metadata":{"description":"","short_description":"A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client. Transparent proxies are often used by enterprises and ISPs. For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination. A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy."}},{"_key":"capec_00928","_id":"capec/capec_00928","_rev":"_dVyyXDq--9","original_id":"466","datatype":"capec","name":"Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy","metadata":{"description":"","short_description":"An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS. When an attacker intercepts a response bound to the victim, an attacker adds an iFrame (which is possibly invisible) to the response referencing some domain with sensitive functionality and forwards the response to the victim. The victim's browser than automatically initiates an unauthorized request to the site with sensitive functionality. The same origin policy would prevent making these requests to a site other than the one from which the Java Script came, but the attacker once again uses active adversary in the middle to intercept these automatic requests and redirect them to the domain / service with sensitive functionality. Any persistent cookies that the victim has in their browser would be used for these unauthorized requests. The attacker thus actively directs the victim to a site with sensitive functionality. When the site with sensitive functionality responds back to the victim's request, an active adversary in the middle attacker intercepts these responses, injects their own malicious Java Script into these responses, and forwards to the victim's browser. In the victim's browser, that Java Script executes under the restrictions of the site with sensitive functionality and can be used to continue to interact with the sensitive site. So an attacker can execute scripts within the victim's browser on any domains the attacker desires. The attacker is able to use this technique to steal cookies from the victim's browser for whatever site the attacker wants. This applies to both persistent cookies and HTTP only cookies (unlike traditional XSS attacks). An attacker is also able to use this technique to steal authentication credentials for sites that only encrypt the login form, but do not require a secure channel for the initial request to get to the page with the login form. Further the attacker is also able to steal any autocompletion information. This attack pattern can also be used to enable session fixation and cache poisoning attacks. Additional attacks can be enabled as well."}},{"_key":"capec_00929","_id":"capec/capec_00929","_rev":"_dVyyXDq-_-","original_id":"467","datatype":"capec","name":"Cross Site Identification","metadata":{"description":"","short_description":"An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the \"remember me\" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing). There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link. This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim."}},{"_key":"capec_00930","_id":"capec/capec_00930","_rev":"_dVyyXDq-__","original_id":"468","datatype":"capec","name":"Generic Cross-Browser Cross-Domain Theft","metadata":{"description":"","short_description":"An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser By having control of some text in the victim's domain, the attacker is able to inject a seemingly valid CSS string. It does not matter if this CSS string is preceded by other data. The CSS parser will still locate the CSS string. If the attacker is able to control two injection points, one before the cross domain data that the attacker is interested in receiving and the other one after, the attacker can use this attack to steal all of the data in between these two CSS injection points when referencing the injected CSS while performing rendering on the site that the attacker controls. When rendering, the CSS parser will detect the valid CSS string to parse and ignore the data that \"does not make sense\". That data will simply be rendered. That data is in fact the data that the attacker just stole cross domain. The stolen data may contain sensitive information, such CSRF protection tokens."}},{"_key":"capec_00931","_id":"capec/capec_00931","_rev":"_dVyyXDq-_A","original_id":"469","datatype":"capec","name":"HTTP DoS","metadata":{"description":"","short_description":"An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted."}},{"_key":"capec_00932","_id":"capec/capec_00932","_rev":"_dVyyXDq-_B","original_id":"470","datatype":"capec","name":"Expanding Control over the Operating System from the Database","metadata":{"description":"","short_description":"An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc."}},{"_key":"capec_00933","_id":"capec/capec_00933","_rev":"_dVyyXDq-_C","original_id":"471","datatype":"capec","name":"Search Order Hijacking","metadata":{"description":"","short_description":"An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded."}},{"_key":"capec_00934","_id":"capec/capec_00934","_rev":"_dVyyXDq-_D","original_id":"472","datatype":"capec","name":"Browser Fingerprinting","metadata":{"description":"","short_description":"An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser."}},{"_key":"capec_00935","_id":"capec/capec_00935","_rev":"_dVyyXDq-_E","original_id":"473","datatype":"capec","name":"Signature Spoof","metadata":{"description":"","short_description":"An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions."}},{"_key":"capec_00936","_id":"capec/capec_00936","_rev":"_dVyyXDq-_F","original_id":"474","datatype":"capec","name":"Signature Spoofing by Key Theft","metadata":{"description":"","short_description":"An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker."}},{"_key":"capec_00937","_id":"capec/capec_00937","_rev":"_dVyyXDq-_G","original_id":"475","datatype":"capec","name":"Signature Spoofing by Improper Validation","metadata":{"description":"","short_description":"An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key. Signature verification algorithms are generally used to determine whether a certificate or piece of code (e.g. executable, binary, etc.) possesses a valid signature and can be trusted. If the leveraged algorithm confirms that a valid signature exists, it establishes a foundation of trust that is further conveyed to the end-user when interacting with a website or application. However, if the signature verification algorithm improperly validates the signature, either by not validating the signature at all or by failing to fully validate the signature, it could result in an adversary generating a spoofed signature and being classified as a legitimate entity. Successfully exploiting such a weakness could further allow the adversary to reroute users to malicious sites, steals files, activates microphones, records keystrokes and passwords, wipes disks, installs malware, and more."}},{"_key":"capec_00938","_id":"capec/capec_00938","_rev":"_dVyyXDq-_H","original_id":"476","datatype":"capec","name":"Signature Spoofing by Misrepresentation","metadata":{"description":"","short_description":"An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions."}},{"_key":"capec_00939","_id":"capec/capec_00939","_rev":"_dVyyXDq-_I","original_id":"477","datatype":"capec","name":"Signature Spoofing by Mixing Signed and Unsigned Content","metadata":{"description":"","short_description":"An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data."}},{"_key":"capec_00940","_id":"capec/capec_00940","_rev":"_dVyyXDq-_J","original_id":"478","datatype":"capec","name":"Modification of Windows Service Configuration","metadata":{"description":"","short_description":"An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service."}},{"_key":"capec_00941","_id":"capec/capec_00941","_rev":"_dVyyXDq-_K","original_id":"479","datatype":"capec","name":"Malicious Root Certificate","metadata":{"description":"","short_description":"An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials."}},{"_key":"capec_00942","_id":"capec/capec_00942","_rev":"_dVyyXDq-_L","original_id":"480","datatype":"capec","name":"Escaping Virtualization","metadata":{"description":"","short_description":"An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks."}},{"_key":"capec_00943","_id":"capec/capec_00943","_rev":"_dVyyXDq-_M","original_id":"481","datatype":"capec","name":"Contradictory Destinations in Traffic Routing Schemes","metadata":{"description":"","short_description":"Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank."}},{"_key":"capec_00944","_id":"capec/capec_00944","_rev":"_dVyyXDq-_N","original_id":"482","datatype":"capec","name":"TCP Flood","metadata":{"description":"","short_description":"An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain."}},{"_key":"capec_00945","_id":"capec/capec_00945","_rev":"_dVyyXDq-_O","original_id":"485","datatype":"capec","name":"Signature Spoofing by Key Recreation","metadata":{"description":"","short_description":"An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker."}},{"_key":"capec_00946","_id":"capec/capec_00946","_rev":"_dVyyXDq-_P","original_id":"486","datatype":"capec","name":"UDP Flood","metadata":{"description":"","short_description":"An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack."}},{"_key":"capec_00947","_id":"capec/capec_00947","_rev":"_dVyyXDq-_Q","original_id":"487","datatype":"capec","name":"ICMP Flood","metadata":{"description":"","short_description":"An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack."}},{"_key":"capec_00948","_id":"capec/capec_00948","_rev":"_dVyyXDu---","original_id":"488","datatype":"capec","name":"HTTP Flood","metadata":{"description":"","short_description":"An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect."}},{"_key":"capec_00949","_id":"capec/capec_00949","_rev":"_dVyyXDu--_","original_id":"489","datatype":"capec","name":"SSL Flood","metadata":{"description":"","short_description":"An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users."}},{"_key":"capec_00950","_id":"capec/capec_00950","_rev":"_dVyyXDu--A","original_id":"490","datatype":"capec","name":"Amplification","metadata":{"description":"","short_description":"An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack."}},{"_key":"capec_00951","_id":"capec/capec_00951","_rev":"_dVyyXDu--B","original_id":"491","datatype":"capec","name":"Quadratic Data Expansion","metadata":{"description":"","short_description":"An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources."}},{"_key":"capec_00952","_id":"capec/capec_00952","_rev":"_dVyyXDu--C","original_id":"492","datatype":"capec","name":"Regular Expression Exponential Blowup","metadata":{"description":"","short_description":"An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions. The algorithm builds a finite state machine and based on the input transitions through all the states until the end of the input is reached. NFA engines may evaluate each character in the input string multiple times during the backtracking. The algorithm tries each path through the NFA one by one until a match is found; the malicious input is crafted so every path is tried which results in a failure. Exploitation of the Regex results in programs hanging or taking a very long time to complete. These attacks may target various layers of the Internet due to regular expressions being used in validation."}},{"_key":"capec_00953","_id":"capec/capec_00953","_rev":"_dVyyXDu--D","original_id":"493","datatype":"capec","name":"SOAP Array Blowup","metadata":{"description":"","short_description":"An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service."}},{"_key":"capec_00954","_id":"capec/capec_00954","_rev":"_dVyyXDu--E","original_id":"494","datatype":"capec","name":"TCP Fragmentation","metadata":{"description":"","short_description":"An attacker may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. The attacker attempts to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered. This behavior defeats some IPS and firewall filters who typically check the FLAGS in the header of the first packet since dropping this packet prevents the following fragments from being processed and assembled. Another variation is overlapping fragments thus that an innocuous first segment passes the filter and the second segment overwrites the TCP header data with the true payload which is malicious in nature. The malicious payload manipulated properly may lead to a DoS due to resource consumption or kernel crash. Additionally the fragmentation could be used in conjunction with sending fragments at a rate slightly slower than the timeout to cause a DoS condition by forcing resources that assemble the packet to wait an inordinate amount of time to complete the task. The fragmentation identification numbers could also be duplicated very easily as there are only 16 bits in IPv4 so only 65536 packets are needed."}},{"_key":"capec_00955","_id":"capec/capec_00955","_rev":"_dVyyXDu--F","original_id":"495","datatype":"capec","name":"UDP Fragmentation","metadata":{"description":"","short_description":"An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets."}},{"_key":"capec_00956","_id":"capec/capec_00956","_rev":"_dVyyXDu--G","original_id":"496","datatype":"capec","name":"ICMP Fragmentation","metadata":{"description":"","short_description":"An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang."}},{"_key":"capec_00957","_id":"capec/capec_00957","_rev":"_dVyyXDu--H","original_id":"497","datatype":"capec","name":"File Discovery","metadata":{"description":"","short_description":"An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks."}},{"_key":"capec_00958","_id":"capec/capec_00958","_rev":"_dVyyXDu--I","original_id":"498","datatype":"capec","name":"Probe iOS Screenshots","metadata":{"description":"","short_description":"An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface."}},{"_key":"capec_00959","_id":"capec/capec_00959","_rev":"_dVyyXDu--J","original_id":"499","datatype":"capec","name":"Android Intent Intercept","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along."}},{"_key":"capec_00960","_id":"capec/capec_00960","_rev":"_dVyyXDu--K","original_id":"500","datatype":"capec","name":"WebView Injection","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page."}},{"_key":"capec_00961","_id":"capec/capec_00961","_rev":"_dVyyXDu--L","original_id":"501","datatype":"capec","name":"Android Activity Hijack","metadata":{"description":"","short_description":"An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity."}},{"_key":"capec_00962","_id":"capec/capec_00962","_rev":"_dVyyXDu--M","original_id":"502","datatype":"capec","name":"Intent Spoof","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact."}},{"_key":"capec_00963","_id":"capec/capec_00963","_rev":"_dVyyXDu--N","original_id":"503","datatype":"capec","name":"WebView Exposure","metadata":{"description":"","short_description":"An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface."}},{"_key":"capec_00964","_id":"capec/capec_00964","_rev":"_dVyyXDu--O","original_id":"504","datatype":"capec","name":"Task Impersonation","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges. When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred. A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges."}},{"_key":"capec_00965","_id":"capec/capec_00965","_rev":"_dVyyXDu--P","original_id":"505","datatype":"capec","name":"Scheme Squatting","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application."}},{"_key":"capec_00966","_id":"capec/capec_00966","_rev":"_dVyyXDu--Q","original_id":"506","datatype":"capec","name":"Tapjacking","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with."}},{"_key":"capec_00967","_id":"capec/capec_00967","_rev":"_dVyyXDu--R","original_id":"507","datatype":"capec","name":"Physical Theft","metadata":{"description":"","short_description":"An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time."}},{"_key":"capec_00968","_id":"capec/capec_00968","_rev":"_dVyyXDu--S","original_id":"508","datatype":"capec","name":"Shoulder Surfing","metadata":{"description":"","short_description":"In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content \"over the victim's shoulder\", as implied by the name of this attack."}},{"_key":"capec_00969","_id":"capec/capec_00969","_rev":"_dVyyXDu--T","original_id":"509","datatype":"capec","name":"Kerberoasting","metadata":{"description":"","short_description":"Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials."}},{"_key":"capec_00970","_id":"capec/capec_00970","_rev":"_dVyyXDu--U","original_id":"510","datatype":"capec","name":"SaaS User Request Forgery","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, \"piggy-backing\" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level."}},{"_key":"capec_00971","_id":"capec/capec_00971","_rev":"_dVyyXDu--V","original_id":"511","datatype":"capec","name":"Infiltration of Software Development Environment","metadata":{"description":"","short_description":"An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain."}},{"_key":"capec_00972","_id":"capec/capec_00972","_rev":"_dVyyXDu--W","original_id":"516","datatype":"capec","name":"Hardware Component Substitution During Baselining","metadata":{"description":"","short_description":"An attacker with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component in the during the product development and research phase. This can lead to adjustments and calibrations being made in the product, so that when the final product with the proper components is deployed, it will not perform as designed and be advantageous to the attacker."}},{"_key":"capec_00973","_id":"capec/capec_00973","_rev":"_dVyyXDu--X","original_id":"517","datatype":"capec","name":"Documentation Alteration to Circumvent Dial-down","metadata":{"description":"","short_description":"An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted."}},{"_key":"capec_00974","_id":"capec/capec_00974","_rev":"_dVyyXDu--Y","original_id":"518","datatype":"capec","name":"Documentation Alteration to Produce Under-performing Systems","metadata":{"description":"","short_description":"An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed."}},{"_key":"capec_00975","_id":"capec/capec_00975","_rev":"_dVyyXDu--Z","original_id":"519","datatype":"capec","name":"Documentation Alteration to Cause Errors in System Design","metadata":{"description":"","short_description":"An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes."}},{"_key":"capec_00976","_id":"capec/capec_00976","_rev":"_dVyyXDu--a","original_id":"520","datatype":"capec","name":"Counterfeit Hardware Component Inserted During Product Assembly","metadata":{"description":"","short_description":"An attacker with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes."}},{"_key":"capec_00977","_id":"capec/capec_00977","_rev":"_dVyyXDu--b","original_id":"521","datatype":"capec","name":"Hardware Design Specifications Are Altered","metadata":{"description":"","short_description":"An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed."}},{"_key":"capec_00978","_id":"capec/capec_00978","_rev":"_dVyyXDu--c","original_id":"522","datatype":"capec","name":"Malicious Hardware Component Replacement","metadata":{"description":"","short_description":"An attacker replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed."}},{"_key":"capec_00979","_id":"capec/capec_00979","_rev":"_dVyyXDu--d","original_id":"523","datatype":"capec","name":"Malicious Software Implanted","metadata":{"description":"","short_description":"An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed."}},{"_key":"capec_00980","_id":"capec/capec_00980","_rev":"_dVyyXDu--e","original_id":"524","datatype":"capec","name":"Rogue Integration Procedures","metadata":{"description":"","short_description":"An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed."}},{"_key":"capec_00981","_id":"capec/capec_00981","_rev":"_dVyyXDu--f","original_id":"528","datatype":"capec","name":"XML Flood","metadata":{"description":"","short_description":"An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends."}},{"_key":"capec_00982","_id":"capec/capec_00982","_rev":"_dVyyXDu--g","original_id":"529","datatype":"capec","name":"Malware-Directed Internal Reconnaissance","metadata":{"description":"","short_description":"Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network."}},{"_key":"capec_00983","_id":"capec/capec_00983","_rev":"_dVyyXDu--h","original_id":"530","datatype":"capec","name":"Provide Counterfeit Component","metadata":{"description":"","short_description":"An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise."}},{"_key":"capec_00984","_id":"capec/capec_00984","_rev":"_dVyyXDu--i","original_id":"531","datatype":"capec","name":"Hardware Component Substitution","metadata":{"description":"","short_description":"An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise."}},{"_key":"capec_00985","_id":"capec/capec_00985","_rev":"_dVyyXDu--j","original_id":"532","datatype":"capec","name":"Altered Installed BIOS","metadata":{"description":"","short_description":"An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation."}},{"_key":"capec_00986","_id":"capec/capec_00986","_rev":"_dVyyXDu--k","original_id":"533","datatype":"capec","name":"Malicious Manual Software Update","metadata":{"description":"","short_description":"An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface."}},{"_key":"capec_00987","_id":"capec/capec_00987","_rev":"_dVyyXDu--l","original_id":"534","datatype":"capec","name":"Malicious Hardware Update","metadata":{"description":"","short_description":"An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact."}},{"_key":"capec_00988","_id":"capec/capec_00988","_rev":"_dVyyXDu--m","original_id":"535","datatype":"capec","name":"Malicious Gray Market Hardware","metadata":{"description":"","short_description":"An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective."}},{"_key":"capec_00989","_id":"capec/capec_00989","_rev":"_dVyyXDu--n","original_id":"536","datatype":"capec","name":"Data Injected During Configuration","metadata":{"description":"","short_description":"An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary."}},{"_key":"capec_00990","_id":"capec/capec_00990","_rev":"_dVyyXDu--o","original_id":"537","datatype":"capec","name":"Infiltration of Hardware Development Environment","metadata":{"description":"","short_description":"An attacker, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise."}},{"_key":"capec_00991","_id":"capec/capec_00991","_rev":"_dVyyXDu--p","original_id":"538","datatype":"capec","name":"Open-Source Library Manipulation","metadata":{"description":"","short_description":"Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems."}},{"_key":"capec_00992","_id":"capec/capec_00992","_rev":"_dVyyXDu--q","original_id":"539","datatype":"capec","name":"ASIC With Malicious Functionality","metadata":{"description":"","short_description":"An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise."}},{"_key":"capec_00993","_id":"capec/capec_00993","_rev":"_dVyyXDu--r","original_id":"540","datatype":"capec","name":"Overread Buffers","metadata":{"description":"","short_description":"An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution."}},{"_key":"capec_00994","_id":"capec/capec_00994","_rev":"_dVyyXDu--s","original_id":"541","datatype":"capec","name":"Application Fingerprinting","metadata":{"description":"","short_description":"An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target."}},{"_key":"capec_00995","_id":"capec/capec_00995","_rev":"_dVyyXDu--t","original_id":"542","datatype":"capec","name":"Targeted Malware","metadata":{"description":"","short_description":"An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts."}},{"_key":"capec_00996","_id":"capec/capec_00996","_rev":"_dVyyXDu--u","original_id":"543","datatype":"capec","name":"Counterfeit Websites","metadata":{"description":"","short_description":"Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware."}},{"_key":"capec_00997","_id":"capec/capec_00997","_rev":"_dVyyXDu--v","original_id":"544","datatype":"capec","name":"Counterfeit Organizations","metadata":{"description":"","short_description":"An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain."}},{"_key":"capec_00998","_id":"capec/capec_00998","_rev":"_dVyyXDu--w","original_id":"545","datatype":"capec","name":"Pull Data from System Resources","metadata":{"description":"","short_description":"An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location."}},{"_key":"capec_00999","_id":"capec/capec_00999","_rev":"_dVyyXDu--x","original_id":"546","datatype":"capec","name":"Incomplete Data Deletion in a Multi-Tenant Environment","metadata":{"description":"","short_description":"An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there."}},{"_key":"capec_01000","_id":"capec/capec_01000","_rev":"_dVyyXDu--y","original_id":"547","datatype":"capec","name":"Physical Destruction of Device or Component","metadata":{"description":"","short_description":"An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended."}},{"_key":"capec_01001","_id":"capec/capec_01001","_rev":"_dVyyXDu--z","original_id":"548","datatype":"capec","name":"Contaminate Resource","metadata":{"description":"","short_description":"An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. The information is exposed to individuals who are not authorized access to such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated."}},{"_key":"capec_01002","_id":"capec/capec_01002","_rev":"_dVyyXDu--0","original_id":"549","datatype":"capec","name":"Local Execution of Code","metadata":{"description":"","short_description":"An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others."}},{"_key":"capec_01003","_id":"capec/capec_01003","_rev":"_dVyyXDu--1","original_id":"550","datatype":"capec","name":"Install New Service","metadata":{"description":"","short_description":"When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges."}},{"_key":"capec_01004","_id":"capec/capec_01004","_rev":"_dVyyXDu--2","original_id":"551","datatype":"capec","name":"Modify Existing Service","metadata":{"description":"","short_description":"When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used."}},{"_key":"capec_01005","_id":"capec/capec_01005","_rev":"_dVyyXDu--3","original_id":"552","datatype":"capec","name":"Install Rootkit ","metadata":{"description":"","short_description":"An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components."}},{"_key":"capec_01006","_id":"capec/capec_01006","_rev":"_dVyyXDu--4","original_id":"554","datatype":"capec","name":"Functionality Bypass","metadata":{"description":"","short_description":"An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary."}},{"_key":"capec_01007","_id":"capec/capec_01007","_rev":"_dVyyXDu--5","original_id":"555","datatype":"capec","name":"Remote Services with Stolen Credentials","metadata":{"description":"","short_description":"This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed."}},{"_key":"capec_01008","_id":"capec/capec_01008","_rev":"_dVyyXDu--6","original_id":"556","datatype":"capec","name":"Replace File Extension Handlers","metadata":{"description":"","short_description":"When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened."}},{"_key":"capec_01009","_id":"capec/capec_01009","_rev":"_dVyyXDu--7","original_id":"558","datatype":"capec","name":"Replace Trusted Executable","metadata":{"description":"","short_description":"An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called."}},{"_key":"capec_01010","_id":"capec/capec_01010","_rev":"_dVyyXDu--8","original_id":"559","datatype":"capec","name":"Orbital Jamming","metadata":{"description":"","short_description":"In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission. Those within the satellite's footprint are prevented from reaching the satellite's targeted or neighboring channels. The satellite's footprint size depends upon its position in the sky; higher orbital satellites cover multiple continents."}},{"_key":"capec_01011","_id":"capec/capec_01011","_rev":"_dVyyXDu--9","original_id":"560","datatype":"capec","name":"Use of Known Domain Credentials","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01012","_id":"capec/capec_01012","_rev":"_dVyyXDu-_-","original_id":"561","datatype":"capec","name":"Windows Admin Shares with Stolen Credentials","metadata":{"description":"","short_description":"An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels."}},{"_key":"capec_01013","_id":"capec/capec_01013","_rev":"_dVyyXDu-__","original_id":"562","datatype":"capec","name":"Modify Shared File","metadata":{"description":"","short_description":"An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed."}},{"_key":"capec_01014","_id":"capec/capec_01014","_rev":"_dVyyXDu-_A","original_id":"563","datatype":"capec","name":"Add Malicious File to Shared Webroot","metadata":{"description":"","short_description":"An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured."}},{"_key":"capec_01015","_id":"capec/capec_01015","_rev":"_dVyyXDu-_B","original_id":"564","datatype":"capec","name":"Run Software at Logon","metadata":{"description":"","short_description":"Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary."}},{"_key":"capec_01016","_id":"capec/capec_01016","_rev":"_dVyyXDu-_C","original_id":"565","datatype":"capec","name":"Password Spraying","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01017","_id":"capec/capec_01017","_rev":"_dVyyXDu-_D","original_id":"568","datatype":"capec","name":"Capture Credentials via Keylogger","metadata":{"description":"","short_description":"An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information."}},{"_key":"capec_01018","_id":"capec/capec_01018","_rev":"_dVyyXDu-_E","original_id":"569","datatype":"capec","name":"Collect Data as Provided by Users","metadata":{"description":"","short_description":"An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions."}},{"_key":"capec_01019","_id":"capec/capec_01019","_rev":"_dVyyXDu-_F","original_id":"571","datatype":"capec","name":"Block Logging to Central Repository","metadata":{"description":"","short_description":"An adversary may attempt to block indicators from leaving the host machine. In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server."}},{"_key":"capec_01020","_id":"capec/capec_01020","_rev":"_dVyyXDu-_G","original_id":"572","datatype":"capec","name":"Artificially Inflate File Sizes","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01021","_id":"capec/capec_01021","_rev":"_dVyyXDu-_H","original_id":"573","datatype":"capec","name":"Process Footprinting","metadata":{"description":"","short_description":"An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user. By knowing what processes are running on the target system, the adversary can learn about the target environment as a means towards further malicious behavior."}},{"_key":"capec_01022","_id":"capec/capec_01022","_rev":"_dVyyXDu-_I","original_id":"574","datatype":"capec","name":"Services Footprinting","metadata":{"description":"","short_description":"An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what services are registered on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. Depending on the operating system, commands that can obtain services information include \"sc\" and \"tasklist/svc\" using Tasklist, and \"net start\" using Net."}},{"_key":"capec_01023","_id":"capec/capec_01023","_rev":"_dVyyXDu-_J","original_id":"575","datatype":"capec","name":"Account Footprinting","metadata":{"description":"","short_description":"An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an authorized user. By knowing what accounts are registered on the target system, the adversary can inform further and more targeted malicious behavior. Example Windows commands which can acquire this information are: \"net user\" and \"dsquery\"."}},{"_key":"capec_01024","_id":"capec/capec_01024","_rev":"_dVyyXDu-_K","original_id":"576","datatype":"capec","name":"Group Permission Footprinting","metadata":{"description":"","short_description":"An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is \"net localgroup\"."}},{"_key":"capec_01025","_id":"capec/capec_01025","_rev":"_dVyyXDu-_L","original_id":"577","datatype":"capec","name":"Owner Footprinting","metadata":{"description":"","short_description":"An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do this, for example, by reviewing logins or file modification times. By knowing what owners use the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command that may accomplish this is \"dir /A ntuser.dat\". Which will display the last modified time of a user's ntuser.dat file when run within the root folder of a user. This time is synonymous with the last time that user was logged in."}},{"_key":"capec_01026","_id":"capec/capec_01026","_rev":"_dVyyXDu-_M","original_id":"578","datatype":"capec","name":"Disable Security Software","metadata":{"description":"","short_description":"An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods."}},{"_key":"capec_01027","_id":"capec/capec_01027","_rev":"_dVyyXDy---","original_id":"579","datatype":"capec","name":"Replace Winlogon Helper DLL","metadata":{"description":"","short_description":"Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup."}},{"_key":"capec_01028","_id":"capec/capec_01028","_rev":"_dVyyXDy--_","original_id":"580","datatype":"capec","name":"System Footprinting","metadata":{"description":"","short_description":"An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations."}},{"_key":"capec_01029","_id":"capec/capec_01029","_rev":"_dVyyXDy--A","original_id":"581","datatype":"capec","name":"Security Software Footprinting","metadata":{"description":"","short_description":"Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software."}},{"_key":"capec_01030","_id":"capec/capec_01030","_rev":"_dVyyXDy--B","original_id":"582","datatype":"capec","name":"Route Disabling","metadata":{"description":"","short_description":"An adversary disables the network route between two targets. The goal is to completely sever the communications channel between two entities. This is often the result of a major error or the use of an \"Internet kill switch\" by those in control of critical infrastructure. This attack pattern differs from most other obstruction patterns by targeting the route itself, as opposed to the data passed over the route."}},{"_key":"capec_01031","_id":"capec/capec_01031","_rev":"_dVyyXDy--C","original_id":"583","datatype":"capec","name":"Disabling Network Hardware","metadata":{"description":"","short_description":"In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks."}},{"_key":"capec_01032","_id":"capec/capec_01032","_rev":"_dVyyXDy--D","original_id":"584","datatype":"capec","name":"BGP Route Disabling","metadata":{"description":"","short_description":"An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP protocol helps traffic move throughout the Internet by selecting the most efficient route between Autonomous Systems (AS), or routing domains. BGP is the basis for interdomain routing infrastructure, providing connections between these ASs. By suppressing the intended AS routing advertisements and/or forcing less effective routes for traffic to ASs, the adversary can deny availability for the target network."}},{"_key":"capec_01033","_id":"capec/capec_01033","_rev":"_dVyyXDy--E","original_id":"585","datatype":"capec","name":"DNS Domain Seizure","metadata":{"description":"","short_description":"In this attack pattern, an adversary influences a target's web-hosting company to disables a target domain. The goal is to prevent access to the targeted service provided by that domain. It usually occurs as the result of civil or criminal legal interventions."}},{"_key":"capec_01034","_id":"capec/capec_01034","_rev":"_dVyyXDy--F","original_id":"586","datatype":"capec","name":"Object Injection","metadata":{"description":"","short_description":"An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution."}},{"_key":"capec_01035","_id":"capec/capec_01035","_rev":"_dVyyXDy--G","original_id":"587","datatype":"capec","name":"Cross Frame Scripting (XFS)","metadata":{"description":"","short_description":"This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls."}},{"_key":"capec_01036","_id":"capec/capec_01036","_rev":"_dVyyXDy--H","original_id":"588","datatype":"capec","name":"DOM-Based XSS","metadata":{"description":"","short_description":"This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users."}},{"_key":"capec_01037","_id":"capec/capec_01037","_rev":"_dVyyXDy--I","original_id":"589","datatype":"capec","name":"DNS Blocking","metadata":{"description":"","short_description":"An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed."}},{"_key":"capec_01038","_id":"capec/capec_01038","_rev":"_dVyyXDy--J","original_id":"590","datatype":"capec","name":"IP Address Blocking","metadata":{"description":"","short_description":"An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address."}},{"_key":"capec_01039","_id":"capec/capec_01039","_rev":"_dVyyXDy--K","original_id":"591","datatype":"capec","name":"Reflected XSS","metadata":{"description":"","short_description":"This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is \"reflected\" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application. The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a reposnse that is then sent back to the victim. To launch a successful Reflected XSS attack, an adversary looks for places where user-input is used directly in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines."}},{"_key":"capec_01040","_id":"capec/capec_01040","_rev":"_dVyyXDy--L","original_id":"592","datatype":"capec","name":"Stored XSS","metadata":{"description":"","short_description":"This type of attack is a form of Cross-site Scripting (XSS) where a malicious script is persistenly \"stored\" within the data storage of a vulnerable web application. Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines."}},{"_key":"capec_01041","_id":"capec/capec_01041","_rev":"_dVyyXDy--M","original_id":"593","datatype":"capec","name":"Session Hijacking","metadata":{"description":"","short_description":"This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application."}},{"_key":"capec_01042","_id":"capec/capec_01042","_rev":"_dVyyXDy--N","original_id":"594","datatype":"capec","name":"Traffic Injection","metadata":{"description":"","short_description":"An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way."}},{"_key":"capec_01043","_id":"capec/capec_01043","_rev":"_dVyyXDy--O","original_id":"595","datatype":"capec","name":"Connection Reset","metadata":{"description":"","short_description":"In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them."}},{"_key":"capec_01044","_id":"capec/capec_01044","_rev":"_dVyyXDy--P","original_id":"596","datatype":"capec","name":"TCP RST Injection","metadata":{"description":"","short_description":"An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection."}},{"_key":"capec_01045","_id":"capec/capec_01045","_rev":"_dVyyXDy--Q","original_id":"597","datatype":"capec","name":"Absolute Path Traversal","metadata":{"description":"","short_description":"An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \"..\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access."}},{"_key":"capec_01046","_id":"capec/capec_01046","_rev":"_dVyyXDy--R","original_id":"598","datatype":"capec","name":"DNS Spoofing","metadata":{"description":"","short_description":"An adversary sends a malicious (\"NXDOMAIN\" (\"No such domain\") code, or DNS A record) response to a targets route request before a legitimate resolver can. This technique requires an On-path or In-path device that can monitor and respond to the targets DNS requests. This attack differs from BGP Tampering in that it directly responds to requests made by the target instead of polluting the routing the targets infrastructure uses."}},{"_key":"capec_01047","_id":"capec/capec_01047","_rev":"_dVyyXDy--S","original_id":"599","datatype":"capec","name":"Terrestrial Jamming","metadata":{"description":"","short_description":"In this attack pattern, the adversary transmits disruptive signals in the direction of the target consumer-level satellite dish (as opposed to the satellite itself). The transmission disruption occurs in a more targeted range. Portable terrestrial jammers have a range of 3-5 kilometers in urban areas and 20 kilometers in rural areas. This technique requires a terrestrial jammer that is more powerful than the frequencies sent from the satellite."}},{"_key":"capec_01048","_id":"capec/capec_01048","_rev":"_dVyyXDy--T","original_id":"600","datatype":"capec","name":"Credential Stuffing","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01049","_id":"capec/capec_01049","_rev":"_dVyyXDy--U","original_id":"601","datatype":"capec","name":"Jamming","metadata":{"description":"","short_description":"An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate traffic, service is denied to the legitimate traffic of authorized users."}},{"_key":"capec_01050","_id":"capec/capec_01050","_rev":"_dVyyXDy--V","original_id":"603","datatype":"capec","name":"Blockage","metadata":{"description":"","short_description":"An adversary blocks the delivery of an important system resource causing the system to fail or stop working."}},{"_key":"capec_01051","_id":"capec/capec_01051","_rev":"_dVyyXDy--W","original_id":"604","datatype":"capec","name":"Wi-Fi Jamming","metadata":{"description":"","short_description":"In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targeted Wi-Fi network. There are several known techniques to perform this attack – for example: the attacker may flood the Wi-Fi access point (e.g. the retransmission device) with deauthentication frames. Another method is to transmit high levels of noise on the RF band used by the Wi-Fi network."}},{"_key":"capec_01052","_id":"capec/capec_01052","_rev":"_dVyyXDy--X","original_id":"605","datatype":"capec","name":"Cellular Jamming","metadata":{"description":"","short_description":"In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels."}},{"_key":"capec_01053","_id":"capec/capec_01053","_rev":"_dVyyXDy--Y","original_id":"606","datatype":"capec","name":"Weakening of Cellular Encryption","metadata":{"description":"","short_description":"An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode)."}},{"_key":"capec_01054","_id":"capec/capec_01054","_rev":"_dVyyXDy--Z","original_id":"607","datatype":"capec","name":"Obstruction","metadata":{"description":"","short_description":"An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or even to fail."}},{"_key":"capec_01055","_id":"capec/capec_01055","_rev":"_dVyyXDy--a","original_id":"608","datatype":"capec","name":"Cryptanalysis of Cellular Encryption","metadata":{"description":"","short_description":"The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content. Some cellular encryption algorithms such as A5/1 and A5/2 (specified for GSM use) are known to be vulnerable to such attacks and commercial tools are available to execute these attacks and decrypt mobile phone conversations in real-time. Newer encryption algorithms in use by UMTS and LTE are stronger and currently believed to be less vulnerable to these types of attacks. Note, however, that an attacker with a Cellular Rogue Base Station can force the use of weak cellular encryption even by newer mobile devices."}},{"_key":"capec_01056","_id":"capec/capec_01056","_rev":"_dVyyXDy--b","original_id":"609","datatype":"capec","name":"Cellular Traffic Intercept","metadata":{"description":"","short_description":"Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted."}},{"_key":"capec_01057","_id":"capec/capec_01057","_rev":"_dVyyXDy--c","original_id":"610","datatype":"capec","name":"Cellular Data Injection","metadata":{"description":"","short_description":"Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations."}},{"_key":"capec_01058","_id":"capec/capec_01058","_rev":"_dVyyXDy--d","original_id":"611","datatype":"capec","name":"BitSquatting","metadata":{"description":"","short_description":"An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity."}},{"_key":"capec_01059","_id":"capec/capec_01059","_rev":"_dVyyXDy--e","original_id":"612","datatype":"capec","name":"WiFi MAC Address Tracking","metadata":{"description":"","short_description":"In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future."}},{"_key":"capec_01060","_id":"capec/capec_01060","_rev":"_dVyyXDy--f","original_id":"613","datatype":"capec","name":"WiFi SSID Tracking","metadata":{"description":"","short_description":"In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future."}},{"_key":"capec_01061","_id":"capec/capec_01061","_rev":"_dVyyXDy--g","original_id":"614","datatype":"capec","name":"Rooting SIM Cards","metadata":{"description":"","short_description":"SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets. This attack leverages over-the-air (OTA) updates deployed via cryptographically-secured SMS messages to deliver executable code to the SIM. By cracking the DES key, an attacker can send properly signed binary SMS messages to a device, which are treated as Java applets and are executed on the SIM. These applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse."}},{"_key":"capec_01062","_id":"capec/capec_01062","_rev":"_dVyyXDy--h","original_id":"615","datatype":"capec","name":"Evil Twin Wi-Fi Attack","metadata":{"description":"","short_description":"Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data traffic is intercepted, captured, and analyzed. This also allows the adversary to use \"adversary-in-the-middle\" (CAPEC-94) for all communications."}},{"_key":"capec_01063","_id":"capec/capec_01063","_rev":"_dVyyXDy--i","original_id":"616","datatype":"capec","name":"Establish Rogue Location","metadata":{"description":"","short_description":"An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource."}},{"_key":"capec_01064","_id":"capec/capec_01064","_rev":"_dVyyXDy--j","original_id":"617","datatype":"capec","name":"Cellular Rogue Base Station","metadata":{"description":"","short_description":"In this attack scenario, the attacker imitates a cellular base station with their own \"rogue\" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station."}},{"_key":"capec_01065","_id":"capec/capec_01065","_rev":"_dVyyXDy--k","original_id":"618","datatype":"capec","name":"Cellular Broadcast Message Request","metadata":{"description":"","short_description":"In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location."}},{"_key":"capec_01066","_id":"capec/capec_01066","_rev":"_dVyyXDy--l","original_id":"619","datatype":"capec","name":"Signal Strength Tracking","metadata":{"description":"","short_description":"In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking."}},{"_key":"capec_01067","_id":"capec/capec_01067","_rev":"_dVyyXDy--m","original_id":"620","datatype":"capec","name":"Drop Encryption Level","metadata":{"description":"","short_description":"An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data."}},{"_key":"capec_01068","_id":"capec/capec_01068","_rev":"_dVyyXDy--n","original_id":"621","datatype":"capec","name":"Analysis of Packet Timing and Sizes","metadata":{"description":"","short_description":"An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients)."}},{"_key":"capec_01069","_id":"capec/capec_01069","_rev":"_dVyyXDy--o","original_id":"622","datatype":"capec","name":"Electromagnetic Side-Channel Attack","metadata":{"description":"","short_description":"In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack."}},{"_key":"capec_01070","_id":"capec/capec_01070","_rev":"_dVyyXDy--p","original_id":"623","datatype":"capec","name":"Compromising Emanations Attack","metadata":{"description":"","short_description":"Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing."}},{"_key":"capec_01071","_id":"capec/capec_01071","_rev":"_dVyyXDy--q","original_id":"624","datatype":"capec","name":"Hardware Fault Injection","metadata":{"description":"","short_description":"The adversary uses disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior in electronic devices. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information."}},{"_key":"capec_01072","_id":"capec/capec_01072","_rev":"_dVyyXDy--r","original_id":"625","datatype":"capec","name":"Mobile Device Fault Injection","metadata":{"description":"","short_description":"Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised."}},{"_key":"capec_01073","_id":"capec/capec_01073","_rev":"_dVyyXDy--s","original_id":"626","datatype":"capec","name":"Smudge Attack","metadata":{"description":"","short_description":"Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers."}},{"_key":"capec_01074","_id":"capec/capec_01074","_rev":"_dVyyXDy--t","original_id":"627","datatype":"capec","name":"Counterfeit GPS Signals","metadata":{"description":"","short_description":"An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary."}},{"_key":"capec_01075","_id":"capec/capec_01075","_rev":"_dVyyXDy--u","original_id":"628","datatype":"capec","name":"Carry-Off GPS Attack","metadata":{"description":"","short_description":"A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genuine signals observed by the target receiver. The power of the counterfeit signals is then gradually increased and drawn away from the genuine signals. Over time, the adversary can carry the target away from their intended destination and toward a location chosen by the adversary."}},{"_key":"capec_01076","_id":"capec/capec_01076","_rev":"_dVyyXDy--v","original_id":"629","datatype":"capec","name":"Unauthorized Use of Device Resources","metadata":{"description":"","short_description":"An adversary that has previously obtained unauthorized access to certain device resources, uses that access to obtain information such as location and network information."}},{"_key":"capec_01077","_id":"capec/capec_01077","_rev":"_dVyyXDy--w","original_id":"630","datatype":"capec","name":"TypoSquatting","metadata":{"description":"","short_description":"An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering."}},{"_key":"capec_01078","_id":"capec/capec_01078","_rev":"_dVyyXDy--x","original_id":"631","datatype":"capec","name":"SoundSquatting","metadata":{"description":"","short_description":"An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantage of a user's confusion of the two words to direct Internet traffic to adversary-controlled destinations. SoundSquatting does not require an attack against the trusted domain or complicated reverse engineering."}},{"_key":"capec_01079","_id":"capec/capec_01079","_rev":"_dVyyXDy--y","original_id":"632","datatype":"capec","name":"Homograph Attack via Homoglyphs","metadata":{"description":"","short_description":"An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations."}},{"_key":"capec_01080","_id":"capec/capec_01080","_rev":"_dVyyXDy--z","original_id":"633","datatype":"capec","name":"Token Impersonation","metadata":{"description":"","short_description":"An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary."}},{"_key":"capec_01081","_id":"capec/capec_01081","_rev":"_dVyyXDy--0","original_id":"634","datatype":"capec","name":"Probe Audio and Video Peripherals","metadata":{"description":"","short_description":"The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system."}},{"_key":"capec_01082","_id":"capec/capec_01082","_rev":"_dVyyXDy--1","original_id":"635","datatype":"capec","name":"Alternative Execution Due to Deceptive Filenames","metadata":{"description":"","short_description":"The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information."}},{"_key":"capec_01083","_id":"capec/capec_01083","_rev":"_dVyyXDy--2","original_id":"636","datatype":"capec","name":"Hiding Malicious Data or Code within Files","metadata":{"description":"","short_description":"Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover."}},{"_key":"capec_01084","_id":"capec/capec_01084","_rev":"_dVyyXDy--3","original_id":"637","datatype":"capec","name":"Collect Data from Clipboard","metadata":{"description":"","short_description":"The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized."}},{"_key":"capec_01085","_id":"capec/capec_01085","_rev":"_dVyyXDy--4","original_id":"638","datatype":"capec","name":"Altered Component Firmware","metadata":{"description":"","short_description":"An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased."}},{"_key":"capec_01086","_id":"capec/capec_01086","_rev":"_dVyyXDy--5","original_id":"639","datatype":"capec","name":"Probe System Files","metadata":{"description":"","short_description":"An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information."}},{"_key":"capec_01087","_id":"capec/capec_01087","_rev":"_dVyyXDy--6","original_id":"640","datatype":"capec","name":"Inclusion of Code in Existing Process","metadata":{"description":"","short_description":"The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, and more."}},{"_key":"capec_01088","_id":"capec/capec_01088","_rev":"_dVyyXDy--7","original_id":"641","datatype":"capec","name":"DLL Side-Loading","metadata":{"description":"","short_description":"An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading."}},{"_key":"capec_01089","_id":"capec/capec_01089","_rev":"_dVyyXDy--8","original_id":"642","datatype":"capec","name":"Replace Binaries","metadata":{"description":"","short_description":"Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed."}},{"_key":"capec_01090","_id":"capec/capec_01090","_rev":"_dVyyXDy--9","original_id":"643","datatype":"capec","name":"Identify Shared Files/Directories on System","metadata":{"description":"","short_description":"An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network."}},{"_key":"capec_01091","_id":"capec/capec_01091","_rev":"_dVyyXDy-_-","original_id":"644","datatype":"capec","name":"Use of Captured Hashes (Pass The Hash)","metadata":{"description":"","short_description":"An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential (e.g. userID and password) hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain."}},{"_key":"capec_01092","_id":"capec/capec_01092","_rev":"_dVyyXDy-__","original_id":"645","datatype":"capec","name":"Use of Captured Tickets (Pass The Ticket)","metadata":{"description":"","short_description":"An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain."}},{"_key":"capec_01093","_id":"capec/capec_01093","_rev":"_dVyyXDy-_A","original_id":"646","datatype":"capec","name":"Peripheral Footprinting","metadata":{"description":"","short_description":"Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks."}},{"_key":"capec_01094","_id":"capec/capec_01094","_rev":"_dVyyXDy-_B","original_id":"647","datatype":"capec","name":"Collect Data from Registries","metadata":{"description":"","short_description":"An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks."}},{"_key":"capec_01095","_id":"capec/capec_01095","_rev":"_dVyyXDy-_C","original_id":"648","datatype":"capec","name":"Collect Data from Screen Capture","metadata":{"description":"","short_description":"An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks."}},{"_key":"capec_01096","_id":"capec/capec_01096","_rev":"_dVyyXDy-_D","original_id":"649","datatype":"capec","name":"Adding a Space to a File Extension","metadata":{"description":"","short_description":"An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution."}},{"_key":"capec_01097","_id":"capec/capec_01097","_rev":"_dVyyXDy-_E","original_id":"650","datatype":"capec","name":"Upload a Web Shell to a Web Server","metadata":{"description":"","short_description":"By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a \"gateway\" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels."}},{"_key":"capec_01098","_id":"capec/capec_01098","_rev":"_dVyyXDy-_F","original_id":"651","datatype":"capec","name":"Eavesdropping","metadata":{"description":"","short_description":"An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), hardware (e.g., recording equipment), or physical means (e.g., physical proximity). The goal of eavesdropping is typically to gain unauthorized access to sensitive information about the target for financial, personal, political, or other gains. Eavesdropping is different from a sniffing attack as it does not take place on a network-based communication channel (e.g., IP traffic). Instead, it entails listening in on the raw audio source of a conversation between two or more parties."}},{"_key":"capec_01099","_id":"capec/capec_01099","_rev":"_dVyyXDy-_G","original_id":"652","datatype":"capec","name":"Use of Known Kerberos Credentials","metadata":{"description":"","short_description":"An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain. Kerberos is the default authentication method for Windows domains and is utilized for numerous authentication purposes. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the Windows domain or access to any resources the service account is privileged to access, among other things. Kerberos credentials can be obtained by an adversary via methods such as system breaches, network sniffing attacks, and/or brute force attacks against the Kerberos service account or the hash of a service ticket. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application."}},{"_key":"capec_01100","_id":"capec/capec_01100","_rev":"_dVyyXDy-_H","original_id":"653","datatype":"capec","name":"Use of Known Windows Credentials","metadata":{"description":"","short_description":"An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data. Utilizing known Windows credentials, an adversary can obtain sensitive data from administrator shares, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more. Ultimately, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application."}},{"_key":"capec_01101","_id":"capec/capec_01101","_rev":"_dVyyXDy-_I","original_id":"654","datatype":"capec","name":"Credential Prompt Impersonation","metadata":{"description":"","short_description":"An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials. The adversary may monitor the task list maintained by the operating system and wait for a specific legitimate credential prompt to become active. Once the prompt is detected, the adversary launches a new credential prompt in the foreground that mimics the user interface of the legitimate credential prompt. At this point, the user thinks that they are interacting with the legitimate credential prompt, but instead they are interacting with the malicious credential prompt. A second approach involves the adversary impersonating an unexpected credential prompt, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process or commonly used application (e.g., email reader) requires authentication for some purpose. The user, believing they are interacting with a legitimate credential prompt, enters their credentials which the adversary then leverages for nefarious purposes. The ultimate goal of this attack is to obtain sensitive information (e.g., credentials) from the user."}},{"_key":"capec_01102","_id":"capec/capec_01102","_rev":"_dVyyXDy-_J","original_id":"655","datatype":"capec","name":"Avoid Security Tool Identification by Adding Data","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01103","_id":"capec/capec_01103","_rev":"_dVyyXDy-_K","original_id":"656","datatype":"capec","name":"Voice Phishing","metadata":{"description":"","short_description":"An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a voice call, rather than email. The user is enticed to provide sensitive information by the adversary, who masquerades as a legitimate employee of the alleged organization. Voice Phishing attacks deviate from standard Phishing attacks, in that a user doesn't typically interact with a compromised website to provide sensitive information and instead provides this information verbally. Voice Phishing attacks can also be initiated by either the adversary in the form of a \"cold call\" or by the victim if calling an illegitimate telephone number."}},{"_key":"capec_01104","_id":"capec/capec_01104","_rev":"_dVyyXDy-_L","original_id":"657","datatype":"capec","name":"Malicious Automated Software Update via Spoofing","metadata":{"description":"","short_description":"An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker."}},{"_key":"capec_01105","_id":"capec/capec_01105","_rev":"_dVyyXDy-_M","original_id":"660","datatype":"capec","name":"Root/Jailbreak Detection Evasion via Hooking","metadata":{"description":"","short_description":"An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to \"hook\" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more."}},{"_key":"capec_01106","_id":"capec/capec_01106","_rev":"_dVyyXDy-_N","original_id":"661","datatype":"capec","name":"Root/Jailbreak Detection Evasion via Debugging","metadata":{"description":"","short_description":"An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more."}},{"_key":"capec_01107","_id":"capec/capec_01107","_rev":"_dVyyXDy-_O","original_id":"662","datatype":"capec","name":"Adversary in the Browser (AiTB)","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01108","_id":"capec/capec_01108","_rev":"_dVyyXDy-_P","original_id":"663","datatype":"capec","name":"Exploitation of Transient Instruction Execution","metadata":{"description":"","short_description":"An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data."}},{"_key":"capec_01109","_id":"capec/capec_01109","_rev":"_dVyyXDy-_Q","original_id":"664","datatype":"capec","name":"Server Side Request Forgery","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01110","_id":"capec/capec_01110","_rev":"_dVyyXDy-_R","original_id":"665","datatype":"capec","name":"Exploitation of Thunderbolt Protection Flaws","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01111","_id":"capec/capec_01111","_rev":"_dVyyXDy-_S","original_id":"666","datatype":"capec","name":"BlueSmacking","metadata":{"description":"","short_description":"An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device."}},{"_key":"capec_01112","_id":"capec/capec_01112","_rev":"_dVyyXDy-_T","original_id":"667","datatype":"capec","name":"Bluetooth Impersonation AttackS (BIAS)","metadata":{"description":"","short_description":"An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities."}},{"_key":"capec_01113","_id":"capec/capec_01113","_rev":"_dVyyXDy-_U","original_id":"668","datatype":"capec","name":"Key Negotiation of Bluetooth Attack (KNOB)","metadata":{"description":"","short_description":"An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication."}},{"_key":"capec_01114","_id":"capec/capec_01114","_rev":"_dVyyXDy-_V","original_id":"669","datatype":"capec","name":"Alteration of a Software Update","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01115","_id":"capec/capec_01115","_rev":"_dVyyXDy-_W","original_id":"670","datatype":"capec","name":"Software Development Tools Maliciously Altered","metadata":{"description":"","short_description":"An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises."}},{"_key":"capec_01116","_id":"capec/capec_01116","_rev":"_dVyyXD2---","original_id":"671","datatype":"capec","name":"Requirements for ASIC Functionality Maliciously Altered","metadata":{"description":"","short_description":"An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC."}},{"_key":"capec_01117","_id":"capec/capec_01117","_rev":"_dVyyXD2--_","original_id":"672","datatype":"capec","name":"Malicious Code Implanted During Chip Programming","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01118","_id":"capec/capec_01118","_rev":"_dVyyXD2--A","original_id":"673","datatype":"capec","name":"Developer Signing Maliciously Altered Software","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01119","_id":"capec/capec_01119","_rev":"_dVyyXD2--B","original_id":"674","datatype":"capec","name":"Design for FPGA Maliciously Altered","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01120","_id":"capec/capec_01120","_rev":"_dVyyXD2--C","original_id":"675","datatype":"capec","name":"Retrieve Data from Decommissioned Devices","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01121","_id":"capec/capec_01121","_rev":"_dVyyXD2--D","original_id":"676","datatype":"capec","name":"NoSQL Injection","metadata":{"description":"\n            ","short_description":"\n            "}},{"_key":"capec_01122","_id":"capec/capec_01122","_rev":"_dVyyXD2--E","original_id":"677","datatype":"capec","name":"Server Functionality Compromise","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01123","_id":"capec/capec_01123","_rev":"_dVyyXD2--F","original_id":"678","datatype":"capec","name":"System Build Data Maliciously Altered","metadata":{"description":"","short_description":"\n            "}},{"_key":"capec_01124","_id":"capec/capec_01124","_rev":"_dVyyXD2--G","original_id":"679","datatype":"capec","name":"Exploitation of Improperly Configured or Implemented Memory Protections","metadata":{"description":"\n            ","short_description":"\n            "}},{"_key":"capec_01125","_id":"capec/capec_01125","_rev":"_dVyyXD2--H","original_id":"680","datatype":"capec","name":"Exploitation of Improperly Controlled Registers","metadata":{"description":"\n            ","short_description":"\n            "}},{"_key":"capec_01126","_id":"capec/capec_01126","_rev":"_dVyyXD2--I","original_id":"681","datatype":"capec","name":"Exploitation of Improperly Controlled Hardware Security Identifiers","metadata":{"description":"\n            ","short_description":"\n            "}}]