Catalog

COMMON ATTACK PATTERN ENUMERATION AND CLASSIFICATION (CAPEC)

The objective of the Common Attack Pattern Enumeration and Classification (CAPEC) effort is to provide a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about them.

Common searches: SQL injection Cross-Site Scripting Cross Site Request Forgery Session Hijacking Configuration Cellular Mobile Clickjacking Path Traversal XML Libraries

= 514 items (filtered by ) / show notes

Engage in Deceptive Interactions
Attack patterns within this category focus on malicious interactions with a target in an attempt to deceive the target and convince the target that it is interacting with some other principal and as such take actions based on the level of trust that exists between the target and the other principal.

Content Spoofing
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged.

Intent Spoof
An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection.

Counterfeit GPS Signals
An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals.

Carry-Off GPS Attack
A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genuine signals observed by the target receiver.

Signature-Based Avoidance
Software packing is a method of compressing or encrypting an executable.

Artificially Inflate File Sizes
Security tools often inspect executables to determine if they are malicious.

Spoofing of UDDI/ebXML Messages
An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction.

Checksum Spoofing
An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum.

Identity Spoofing
Identity Spoofing refers to the action of assuming (i.

Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part.

Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Signature Spoofing by Improper Validation
An attacker exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.

Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.

Signature Spoofing by Mixing Signed and Unsigned Content
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Pharming
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform.

Fake the Source of Data
An adversary provides data under a falsified identity.

Counterfeit Websites
Adversary creates duplicates of legitimate websites.

Counterfeit Organizations
An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain.

DNS Spoofing
An adversary sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record) response to a targets route request before a legitimate resolver can.

Principal Spoof
A Principle Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction.

Cross Frame Scripting (XFS)
This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe.

Terrestrial Jamming
In this attack pattern, the adversary transmits disruptive signals in the direction of the target consumer-level satellite dish (as opposed to the satellite itself).

Phishing
Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker.

Spear Phishing
An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability.

Mobile Phishing
An attacker targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user.

Resource Location Spoofing
An adversary deceives an application or user and convinces them to request a resource from an unintended location.

Establish Rogue Location
An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource.

BitSquatting
An adversary registers a domain name one bit different than a trusted domain.

Evil Twin Wi-Fi Attack
Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point.

Cellular Rogue Base Station
In this attack scenario, the attacker imitates a cellular base station with his own “rogue” base station equipment.

TypoSquatting
An adversary registers a domain name with at least one character different than a trusted domain.

SoundSquatting
An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling.

Homograph Attack via Homoglyphs
An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain.

Redirect Access to Libraries
An attacker exploits the execution flow of a call to an external library to point to an attacker supplied library or code base, allowing the attacker to compromise the application or server via the execution of unauthorized code.

DLL Search Order Hijacking
The attacker exploits the functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories (e.

Symlink Attack
An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath.

Action Spoofing
An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action.

Task Impersonation
An adversary, through a previously installed malicious application, monitors the task list maintained by the operating system and waits for a specific legitimate task to become active.

Scheme Squatting
An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed.

Tapjacking
An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces him/her to tap in an attacker desired location on the screen.

Clickjacking
In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different system.

iFrame Overlay
In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.

Flash File Overlay
An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack.

Manipulate Human Behavior
An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the adversary's interests.

Pretexting
An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests.

Pretexting via Customer Service
An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests.

Pretexting via Tech Support
An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests.

Pretexting via Delivery Person
An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests.

Pretexting via Phone
An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests.

Influence Perception
The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves.

Influence Perception of Reciprocation
An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information.

Influence Perception of Scarcity
The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adversary.

Influence Perception of Authority
An adversary uses a social engineering technique to convey a sense of authority that motivates the target reveal specific information or take specific action.

Influence Perception of Commitment and Consistency
An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions.

Influence Perception of Liking
The adversary influences the target's actions by building a relationship where the target has a liking to the adversary.

Influence Perception of Consensus or Social Proof
The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate.

Target Influence via Framing
An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view.

Influence via Incentives
The adversary incites a behavior from the target by manipulating something of influence.

Influence via Psychological Principles
The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and social psychology.

Influence via Modes of Thinking
The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication.

Target Influence via Eye Cues
The adversary gains information via non-verbal means from the target through eye movements.

Target Influence via Micro-Expressions

Target Influence via Neuro-Linguistic Programming (NLP)

Target Influence via Voice in NLP

Target Influence via The Human Buffer Overflow
An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns.

Target Influence via Interview and Interrogation

Target Influence via Instant Rapport

Abuse Existing Functionality
An adversary uses or manipulates one or more functions of an application in order to achieve a malicious objective not originally intended by the application, or to deplete a resource to the point that the target's functionality is affected.

API Manipulation
An adversary manipulates the use or processing of an Application Programming Interface (API) resulting in an adverse impact upon the security of the system implementing the API.

Exploit Test APIs
An attacker exploits a sample, demonstration, or test API that is insecure by default and should not be resident on production systems.

Try All Common Switches
An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target.

Using Unpublished APIs
An adversary searches for and invokes APIs that the target system designers did not intend to be publicly available.

Exploit Script-Based APIs
Some APIs support scripting instructions as arguments.

Flooding
An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target.

XML Flood
An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service.

XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target.

TCP Flood
An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service.

UDP Flood
An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth.

ICMP Flood
An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth.

HTTP Flood
An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure.

SSL Flood
An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side.

Amplification
An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it.

Excessive Allocation
An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services.

XML Nested Payloads
Applications often need to transform data in and out of the XML format by using an XML parser.

XML Quadratic Expansion
An adversary exploits a few properties of XML(substitution entities and inline DTDs) to cause a denial of service situation due to excessive memory being allocated to fully expand the XML.

XML Entity Expansion
An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML.

XML Oversized Payloads
Applications often need to transform data in and out of the XML format by using an XML parser.

XML Entity Blowup
An attacker creates an XML document that with an external entity reference.

XML Attribute Blowup
This attack exploits certain XML parsers which manage data in an inefficient manner.

Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex.

SOAP Array Blowup
An adversary may execute an attack on a web service that uses SOAP messages in communication.

TCP Fragmentation
An attacker may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules.

UDP Fragmentation
An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU.

ICMP Fragmentation
An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash.

Resource Leak Exposure
An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.

Functionality Misuse
An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.

Inducing Account Lockout
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user.

Drop Encryption Level
An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.

Weakening of Cellular Encryption
An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.

JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.

Passing Local Filenames to Functions That Expect a URL
This attack relies on client side code to access local files and resources instead of URLs.

Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user.

Communication Channel Manipulation
An adversary manipulates a setting or parameter on communications channel in order to compromise its security.

Exploiting Incorrectly Configured SSL
An adversary takes advantage of incorrectly configured SSL communications that enables access to data intended to be encrypted.

Choosing Message Identifier
This pattern of attack is defined by the selection of messages distributed over via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client.

Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible.

HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection.

Protocol Manipulation
An adversary subverts a communications protocol to perform an attack.

Client-Server Protocol Manipulation
An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions.

Blue Boxing
This type of attack against older telephone switches and trunks has been around for decades.

HTTP Request Splitting
HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two.

HTTP Request Smuggling
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls.

HTTP Response Splitting
This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one.

HTTP Response Smuggling
An attacker injects content into a server response that is interpreted differently by intermediaries than it is by the target browser.

HTTP Verb Tampering
An attacker modifies the HTTP Verb (e.

Reflection Attack in Authentication Protocol
An attacker can abuse an authentication protocol susceptible to reflection attack in order to defeat it.

DNS Rebinding
An adversary serves content whose IP address is resolved by a DNS server that the adversary controls.

Inter-component Protocol Manipulation

Data Interchange Protocol Manipulation

Web Services Protocol Manipulation
An attacker manipulates functions and/or their values used by web-related protocols to cause a web application or service to react differently that intended, allowing the attacker to gain access to data or resources normally restricted or to cause the application or service to crash.

Soap Manipulation

SOAP Parameter Tampering
An attacker sends a SOAP message where the field values are other than what the server is likely to expect in order to precipitate non-standard server behavior.

Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security.

Functionality Bypass
An adversary attacks a system by bypassing some or all functionality intended to protect it.

Evercookie
An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed.

Transparent Proxy Abuse
A transparent proxy serves as an intermediate between the client and the internet at large.

Calling Micro-Services Directly
An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function.

Manipulate Data Structures
Attack patterns in this category manipulate and exploit characteristics of system data structures in order to violate the intended usage and protections of these structures.

Buffer Manipulation
An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to.

Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer.

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary.

Buffer Overflow in an API Call
This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks.

Buffer Overflow in Local Command-Line Utilities
This attack targets command-line utilities available in a number of shells.

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables.

Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.

Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction.

SOAP Array Overflow
An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request.

MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine.

Overflow Binary Resource File
An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources.

Buffer Overflow via Symbolic Links
This type of attack leverages the use of symbolic links to cause buffer overflows.

Overflow Variables and Tags
This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow.

Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing.

String Format Overflow in syslog()
This attack targets the format string vulnerabilities in the syslog() function.

Shared Data Manipulation
An adversary exploits a data structure shared between multiple applications or an application pool to affect application behavior.

Pointer Manipulation
This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location.

Input Data Manipulation
An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface.

Path Traversal
An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests.

Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".

Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources.

Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS.

Integer Attacks
An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application.

Forced Integer Overflow
This attack forces an integer variable to go out of range.

Leverage Alternate Encoding
This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult.

Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Some APIs will strip certain leading characters from a string of parameters.

Using Alternative IP Address Encodings
This attack relies on the attacker using unexpected formats for representing IP addresses.

Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request.

Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic.

Embedding NULL Bytes
An attacker embeds one or more null bytes in input to the target software.

Postfix, Null Terminate, and Backslash
If a string is passed through a filter of some kind, then a terminal NULL may not be valid.

Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters.

Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request.

URL Encoding
This attack targets the encoding of the URL.

Using Escaped Slashes in Alternate Encoding
This attack targets the use of the backslash in alternate encoding.

Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters.

Using UTF-8 Encoding to Bypass Validation Logic
This attack is a specific variation on leveraging alternate encodings to bypass validation logic.

Manipulate System Resources
This category is related to the WASC Threat Classification 2.

Software Integrity Attack
An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.

Malicious Software Download
An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source.

Malicious Software Update
An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an attacker controlled source.

Rooting SIM Cards
SIM cards are the de facto trust anchor of mobile devices worldwide.

Malicious Manual Software Update
An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location.

Malicious Automated Software Update
An attacker exploits a weakness in a server or client's process of delivering and verifying the integrity of code supplied by an update-providing server or mechanism to cause code of the attackers' choosing to be downloaded and installed as a software update.

Hardware Integrity Attack
An attacker changes a technology, product, component, or sub-component during its deployed use at the victim location for the purpose of carrying out an attack.

Hacking Hardware
An attacker changes or replaces a hardware component which undermines the system's integrity for the purpose of carrying out an attack.

Bypassing ATA Password Security
An attacker exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials.

Malicious Hardware Update
An attacker introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location.

Hardware Component Substitution
An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component.

Provide Counterfeit Component
An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.

Malicious Gray Market Hardware
An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.

Infrastructure Manipulation
An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects.

Block Logging to Central Repository
An adversary may attempt to block indicators from leaving the host machine.

Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives.

DNS Cache Poisoning
A domain name server translates a domain name (such as www.

Audit Log Manipulation
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack.

Web Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior.

Log Injection-Tampering-Forging
This attack targets the log files of the target host.

Force the System to Reset Values
An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors.

File Manipulation
An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application.

Cause Web Server Misclassification
An attack of this type exploits a Web server's decision to take action based on filename or file extension.

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.

Force Use of Corrupted Files
This describes an attack where an application is forced to use a file that an attacker has corrupted.

Create files with the same name as files protected with a higher classification
An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file.

User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content.

Configuration/Environment Manipulation
An attacker manipulates files or settings external to a target application which affect the behavior of that application.

Data Injected During Configuration
An attacker with access to data files and processes on a victim's system injects false data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the attacker.

Manipulate Application Registry Values
An attacker manipulates the registry values used by an application to perform a variety of possible attacks.

Modification of Registry Run Keys
An adversary adds a new entry to run keys in the registry in an attempt to automatically execute a desired application.

Poison Web Service Registry
SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services.

Disable Security Software
Adversaries may disable security tools so that detection does not occur.

Schema Poisoning
An attacker corrupts or modifies the content of a schema for the purpose of undermining the security of the target.

XML Schema Poisoning
An attacker corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target.

Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

Obstruction
An attacker obstructs the interactions between system components.

Jamming
An adversary uses radio noise or signals in an attempt to disrupt communications.

Wi-Fi Jamming
In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targeted Wi-Fi network.

Cellular Jamming
In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower.

Orbital Jamming
In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission.

Blockage
An adversary blocks the delivery of an important system resource causing the system to fail or stop working.

DNS Blocking
An adversary intercepts traffic and intentionally drops DNS requests based on content in the request.

IP Address Blocking
An adversary performing this type of attack drops packets destined for a target IP address.

Block Access to Libraries
An application typically makes calls to functions that are a part of libraries external to the application.

Physical Destruction of Device or Component
An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.

Route Disabling
An adversary disables the network route between two targets.

Disabling Network Hardware
In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment.

BGP Route Disabling
An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible.

DNS Domain Seizure
In this attack pattern, an adversary influences a target's web-hosting company to disables a target domain.

Modification During Manufacture
An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle.

Development Alteration
An attacker modifies a technology, product, or component during its development.

Infiltration of Software Development Environment
An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment.

Hardware Component Substitution During Baselining
An attacker with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component in the during the product development and research phase.

Counterfeit Hardware Component Inserted During Product Assembly
An attacker with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly.

Infiltration of Hardware Development Environment
An attacker, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment.

ASIC With Malicious Functionality
An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.

Malicious Logic Inserted Into Product Software by Authorized Developer
An attacker uses their privileged position within an authorized software development organization to inject malicious logic into a codebase or product.

Malicious Logic Insertion into Product Software via Configuration Management Manipulation
An attacker exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment.

Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency
An attacker conducts supply chain attacks by the inclusion of insecure 3rd party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

Design Alteration
An attacker modifies the design of a technology, product, or component.

Documentation Alteration to Circumvent Dial-down
An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements.

Documentation Alteration to Produce Under-performing Systems
An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.

Documentation Alteration to Cause Errors in System Design
An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design.

Hardware Design Specifications Are Altered
An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.

Manipulation During Distribution
An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel.

Malicious Hardware Component Replacement
An attacker replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

Malicious Software Implanted
An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

Rogue Integration Procedures
An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system.

Malicious Logic Insertion
An attacker installs or adds malicious logic into a seemingly benign component of the system.

Malicious Logic Inserted Into To Product Software
An attacker inserts malicious logic into software, typically in the form of a traditional virus or trojan backdoor.

Altered Installed BIOS
An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

Open Source Libraries Altered
An attacker with access to an open source code project and knowledge of its particular use for in a system being developed, manufactured, or supported for the victim, can insert malicious code into the open source software used for math libraries in anticipation of inclusion into the system for the purpose of disruption or further compromise within the victim organization.

Malware Infection into Product Software
An attacker tampers with the code of a product and injects malicious logic into the device in order to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.

Malicious Logic Insertion into Product Hardware
Summary:This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware.

Malicious Logic Insertion into Product Memory
An attacker inserts malicious logic into memory enabling them to achieve a negative impact.

USB Memory Attacks
An attacker loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to.

Flash Memory Attacks
An attacker inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic.

Contaminate Resource
An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized.

Inject Unexpected Items
Attack patterns within this category focus on the ability to control or disrupt the behavior of an target either through crafted data submitted via an interface for data input, or the installation and execution of malicious code on the target system.

Parameter Injection
An adversary exploits weaknesses in input validation by manipulating the content of request parameters for the purpose of undermining the security of the target.

Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database.

HTTP Parameter Pollution (HPP)
An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters.

Email Injection
An attacker manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

Format String Injection
An adversary includes formatting characters in a string input field on the target application.

Reflection Injection
An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field.

Flash Parameter Injection
An adversary injects values to global parameters into a Flash movie embedded in an HTML document.

Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker.

Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser.

Code Inclusion
An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed.

Local Code Inclusion
The attacker forces an application to load arbitrary code files from the local machine.

PHP Local File Inclusion
The attacker loads and executes an arbitrary local PHP file on a target machine.

Remote Code Inclusion
The attacker forces an application to load arbitrary code files from a remote location.

WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component.

Server Side Include (SSI) Injection
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server.

PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application.

Resource Injection
An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.

Cellular Data Injection
Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations.

Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.

Generic Cross-Browser Cross-Domain Theft
An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser.

Embedding Scripts within Scripts
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.

File Content Injection
An attack of this type exploits the host's trust in executing remote content, including binary files.

Using Meta-characters in E-mail Headers to Inject Malicious Payloads
This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs.

Cross-Site Scripting (XSS)
An adversary embeds malicious scripts in content that will be served to web browsers.

DOM-Based XSS
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser.

Reflected XSS
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is “reflected” off a vulnerable web application and then executed by a victim's browser.

XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (), comments in XML documents (), etc.

XSS Targetting HTML Attributes
An adeversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes.

XSS Targeting URI Placeholders
An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders.

XSS Using Doubled Characters
The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack.

XSS Using Invalid Characters
An adversary inserts invalid characters in identifiers to bypass application filtering of input.

XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application.

XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors.

XSS Targeting Error Pages
An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.

XSS Using Alternate Syntax
An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters.

Stored XSS
This type of attack is a form of Cross-site Scripting (XSS) where a malicious script is persistenly “stored” within the data storage of a vulnerable web application.

XSS Using MIME Type Mismatch
An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected.

Command Injection
An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended.

Linux Terminal Injection
This type of attack exploits terminal devices that allow the keyboard buffer to be written to by other users.

Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users.

XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection.

DTD Injection
An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact.

XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to.

XQuery Injection
This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to.

LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target.

SQL Injection
This attack exploits target software that constructs SQL statements based on user input.

Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection.

Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution.

Object Relational Mapping Injection
An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database.

Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine.

SQL Injection through SOAP Parameter Tampering
An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack.

IMAP/SMTP Command Injection
An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server.

OS Command Injection
In this type of an attack, an adversary injects operating system commands into existing application functions.

Local Execution of Code
An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact.

Targeted Malware
An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment.

Install New Service
When an operating system starts, it also starts programs called services or daemons.

Modify Existing Service
When an operating system starts, it also starts programs called services or daemons.

Install Rootkit
A hypervisor is a software layer that sits between the operating system and the processor.

Replace File Extension Handlers
When a file is opened, its file handler is checked to determine which program opens the file.

Schedule Software To Run
It is possible to schedule software to be run at a time in the future (Windows commands "at" and "schtasks", along with the Windows Task Scheduler, cron in UNIX-based systems).

Replace Trusted Executable
An attacker replaces replaces a trusted executable to allow for the execution of malware when that trusted executable is called.

Run Software at Logon
Operating system allows logon scripts to be run whenever a specific user or users logon to a system.

Replace Winlogon Helper DLL
Winlogon is a part of Windows that performs logon actions.

Fault Injection
The adversary uses disruptive signals or events (e.

Mobile Device Fault Injection
Fault injection attacks against mobile devices use disruptive signals or events (e.

Traffic Injection
An adversary injects traffic into the target's network connection.

Connection Reset
In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection.

TCP RST Injection
An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request.

Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects.

Employ Probabilistic Techniques
An attacker utilizes probabilistic techniques to explore and overcome security properties of the target that are based on an assumption of strength due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties do not hold.

Brute Force
In this attack, some asset (information, functionality, identity, etc.

Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

Password Brute Forcing
In this attack, the adversary tries every possible value for a password until they succeed.

Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account.

Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored.

Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions.

Fuzzing
In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system.

Manipulate Timing and State
An attacker exploits weaknesses in timing or state maintaining functions to perform actions that would otherwise be prevented by the execution flow of the target code and processes.

Forced Deadlock
The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service.

Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place.

Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files.

Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource.

Manipulating User State
The adversary modifies state information maintained by the target software in user-accessible locations.

Bypassing of Intermediate Forms in Multiple-Form Sets
Some web applications require users to submit information through an ordered sequence of web forms.

Collect and Analyze Information
This category has been deprecated as it is no longer used by any of the Views.

Excavation
An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.

Dumpster Diving
An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver.

Pull Data from System Resources
An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information.

Probe Application Memory
An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment.

Probe iOS Screenshots
An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information.

Obtain Data via Utilities
In this type of attack, information useful to adversaries in launching follow-on attacks is obtained through the use of helper tools or utilities.

Dump Password Hashes
An adversary obtains a collection of password hashes through the use of automated utilities designed specifically for gathering this type of information.

Collect Data as Provided by Users
An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system.

Capture Credentials via Keylogger
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user.

Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target.

Detect Unpublicized Web Pages
An attacker searches a targeted web site for web pages that have not been publicized.

Detect Unpublicized Web Services
An attacker searches a targeted web site for web services that have not been publicized.

Screen Temporary Files for Sensitive Information
An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow.

Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses.

Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes any stack traces produced by error messages.

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned.

Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses.

Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output.

Fuzzing for garnering other adjacent user/sensitive data
An attacker who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide.

WSDL Scanning
This attack targets the WSDL interface made available by a web service.

Interception
An adversary monitors data streams to or from a target in order to gather information.

Intent Intercept
An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection.

Activity Hijack
An adversary, through a previously installed malicious application, intercepts an implicit intent sent to launch a trusted activity and instead launches a counterfeit activity in its place.

Harvesting Usernames or UserIDs via Application API Event Monitoring
An attacker hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions.

Sniffing Attacks
An attacker monitors information transmitted between logical or physical nodes of a network.

Cellular Traffic Intercept
Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods.

Sniffing Network Traffic
An adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information.

Sniff Application Code
An adversary passively sniffs network communications and captures application code bound for an authorized client.

Footprinting
An adversary engages in probing and exploration activities to identify constituents and properties of the target.

Malware-Directed Internal Reconnaissance
Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network.

Port Scanning
An attacker uses a combination of techniques to determine the state of the ports on a remote target.

TCP Connect Scan
An attacker uses full TCP connection attempts to determine if a port is open.

TCP FIN scan
An attacker uses a TCP FIN scan to determine if ports are closed on the target machine.

TCP Xmas Scan
An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine.

TCP Null Scan
An attacker uses a TCP NULL scan to determine if ports are closed on the target machine.

TCP ACK Scan
An attacker uses TCP ACK segments to gather information about firewall or ACL configuration.

TCP Window Scan
An attacker engages in TCP Window scanning to analyze port status and operating system type.

TCP RPC Scan
An attacker scan for RPC services listing on a Unix/Linux host.

UDP Scan
An attacker engages in UDP scanning to gather information about UDP port status.

TCP SYN Scan
An attacker uses a SYN scan to determine the status of ports on the remote target.

Network Topology Mapping
An adversary engages in scanning activities to map network nodes, hosts, devices, and routes.

Enumerate Mail Exchange (MX) Records
An attacker enumerates the MX records for a given via a DNS query.

DNS Zone Transfers
An attacker exploits a DNS misconfiguration that permits a ZONE transfer.

Traceroute Route Enumeration
An attacker uses a traceroute utility to map out the route which data flows through the network in route to a target destination.

Process Footprinting
Adversaries may attempt to get information about running processes.

Services Footprinting
Adversaries may try to get information about registered services.

Account Footprinting
Adversaries may attempt to get a listing of all local or domain accounts and their permissions.

Group Permission Footprinting
Adversaries may get a listing of all local groups and their permissions and members.

Owner Footprinting
Adversaries may attempt to identify the primary users of the system.

Application Footprinting
An adversary engages in active probing and exploration activities to determine the type or version of an application installed on a remote target.

Security Software Footprinting
Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations.

Explore for Predictable Temporary File Names
An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target.

Host Discovery
An attacker sends a probe to an IP address to determine if the host is alive.

WiFi MAC Address Tracking
In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses.

WiFi SSID Tracking
In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network.

Cellular Broadcast Message Request
In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.

Signal Strength Tracking
In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal.

ICMP Echo Request Ping
An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive.

ICMP Address Mask Request
An attacker sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration.

ICMP Timestamp Request
An adversary sends an ICMP type 13 Timestamp Request to determine the time as recorded by a remote target.

ICMP Information Request
An adversary sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism.

TCP ACK Ping
An attacker sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive.

UDP Ping
An attacker sends a UDP datagram to the remote host to determine if the host is alive.

TCP SYN Ping
An attacker uses a TCP SYN packets as a means of purpose of host discovery.

Fingerprinting
An adversary compares output from a target system to known indicators that uniquely identify specific details about the target.

Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

Scanning for Vulnerable Software
An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services.

Browser Fingerprinting
An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using.

Web Application Fingerprinting
An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target.

AJAX Fingerprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system.

Active OS Fingerprinting
An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment.

IP ID Sequencing Probe
This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host.

IP 'ID' Echoed Byte-Order Probe
This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet.

IP (DF) 'Don't Fragment Bit' Echoing Probe
This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet.

TCP Timestamp Probe
This OS fingerprinting probe examines the remote server's implementation of TCP timestamps.

TCP Sequence Number Probe
This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers.

TCP (ISN) Greatest Common Divisor Probe
This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine.

TCP (ISN) Counter Rate Probe
This OS detection probe measures the average rate of initial sequence number increments during a period of time.

TCP (ISN) Sequence Predictability Probe
This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host.

TCP Congestion Control Flag (ECN) Probe
This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging.

TCP Initial Window Size Probe
This OS fingerprinting probe checks the initial TCP Window size.

TCP Options Probe
This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment.

TCP 'RST' Flag Checksum Probe
This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet.

ICMP Error Message Quoting Probe
An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or "Quoted" from the originating request that generated the ICMP error message.

ICMP Error Message Echoing Integrity Probe
An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message.

ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message.

ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message.

Passive OS Fingerprinting
An adversary engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications.

Reverse Engineering
An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates.

White Box Reverse Engineering
An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques.

Smudge Attack
Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.

Lifting Sensitive Data Embedded in Cache
An attacker examines a target application's cache for sensitive information.

Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it.

Reverse Engineer an Executable to Expose Assumed Hidden Functionality or Content
An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates.

Read Sensitive Strings Within an Executable
An adversary engages in activities to discover any sensitive strings are present within the compiled code of an executable, such as literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

Black Box Reverse Engineering
An attacker discovers the structure, function, and composition of a type of computer software through black box analysis techniques.

Analysis of Packet Timing and Sizes
An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes.

Electromagnetic Side-Channel Attack
In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing.

Compromising Emanations Attack
Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment.

Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network.

Cryptanalysis
Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction).

Cryptanalysis of Cellular Encryption
The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content.

Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext.

Information Elicitation
An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information.

Subvert Access Control
This category has been deprecated as it is no longer used by any of the Views.

Exploitation of Trusted Credentials
Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity.

SaaS User Request Forgery
An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session.

Use of Known Domain Credentials
An adversary uses stolen credentials (e.

Remote Services with Stolen Credentials
An adversary leverages remote services such as RDP, telnet, SSH, and VNC to log into a system with stolen credentials.

Windows Admin Shares with Stolen Credentials
Windows systems have hidden network shares that are only accessible to administrators and allow files to be written to the local computer.

Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication.

Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system.

Cross Site Tracing
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server.

Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges.

Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker.

Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.

Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site.

Session Credential Falsification through Forging
An attacker creates a false but functional session credential in order to gain or usurp access to a service.

Session Credential Falsification through Manipulation
An attacker manipulates an existing credential in order to gain access to a target application.

Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges.

Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation.

Unauthorized Use of Device Resources
An adversary that has previously obtained unauthorized access to certain device resources, uses that access to obtain information such as location and .

Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism.

Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls.

Forceful Browsing
An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry.

Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity.

Create Malicious Client
An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients.

Removing Important Client Functionality
An attacker removes or disables functionality on the client that the server assumes to be present and trustworthy.

Removal of filters: Input filters, output filters, data masking
An attacker removes or disables filtering mechanisms on the target application.

Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server.

Subversion of authorization checks: cache filtering, programmatic security, etc.

Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated.

Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems.

Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth).

Subverting Environment Variable Values
The attacker directly or indirectly modifies environment variables used by or controlling the target software.

Manipulating Hidden Fields
An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data.

Man in the Middle Attack
This type of attack targets the communication between two components (typically client and server).

XML Routing Detour Attacks
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content.

Leveraging Active Man in the Middle Attacks to Bypass Same Origin Policy
An attacker leverages a man in the middle attack in order to bypass the same origin policy protection in the victim's browser.

Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages.

Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged.

Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages.

Navigation Remapping To Propagate Malicious Content
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.

Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages.

Content Spoofing Via Application API Manipulation
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages.

Utilizing REST's Trust in the System Resource to Register Man in the Middle
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated.

Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts.

Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework.

Accessing, Modifying or Executing Executable Files
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it.

Modify Shared File
An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content.

Add Malicious File to Shared Webroot
An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content.

Restful Privilege Elevation
Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs.

WebView Exposure
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API.

XML External Entities
This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI.

Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.

Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets.

Hijacking a privileged process
An attacker gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges.

Hijacking a Privileged Thread of Execution
Adversaries can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.

Implementing a callback to system routine (old AWT Queue)

Catching exception throw/signal from privileged block
Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.

Subvert Code-signing Facilities
Because languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment, subverting this mechanism can be instrumental in an attacker escalating privilege.

Lifting signing key and signing malicious code from a production environment
The attacker extracts credentials used for code signing from a production environment and uses these credentials to sign malicious content with the developer's key.

Calling Signed Code From Another Language Within A Sandbox Allow This
The attacker may submit a malicious signed code from another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.

Using URL/codebase / G.A.C. (code source) to convince sandbox of privilege

Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges.

Bypassing Physical Security
Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms.

Bypassing Physical Locks
An attacker uses techniques and methods to bypass physical security measures of a building or facility.

Lock Bumping
An attacker uses a bump key to force a lock on a building or facility and gain entry.

Lock Picking
An attacker uses lock picking tools and techniques to bypass the locks on a building or facility.

Using a Snap Gun Lock to Force a Lock
An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility.

Bypassing Electronic Locks and Access Controls
An attacker exploits security assumptions to bypass electronic locks or other forms of access controls.

Bypassing Card or Badge-Based Systems
An attacker bypasses the security of a card-based system by using techniques such as cloning access cards or using brute-force techniques.

RFID Chip Deactivation or Destruction
An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive.

Cloning Magnetic Strip Cards
An attacker duplicates the data on a Magnetic strip card (i.

Magnetic Strip Card Brute Force Attacks
An attacker analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals.

Cloning RFID Cards or Chips
An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip.

Physical Theft
An adversary gains physical access to a system or device through theft of the item.