Information Security Vocabularies
ReferencesData ModelData Model NameReferenceAIAsset
Identificationhttp://scap.nist.gov/specifications/ai/ARFAsset
Reporting
Formathttp://scap.nist.gov/specifications/arf/http://csrc.nist.gov/publications/nistir/ir7694/NISTIR-7694.pdfCAPECCommon
Attack Pattern Enumeration and
Classificationhttp://www.mitre.org/work/cybersecurity/cyber_standards.htmlCCECommon
Configuration
Enumerationhttps://nvd.nist.gov/cce/index.cfmCVECommon
Vulnerabilities and Exposureshttps://cve.mitre.org/CVSSCommon
Vulnerability Scoring Systemhttp://www.first.org/cvssCWECommon
Weakness Enumerationhttp://cwe.mitre.org/DPEDefault Passwords
EnumerationIODEFIncident Object Description Exchange
Formathttp://tools.ietf.org/html/rfc5070IODEFbisIncident Object
Description Exchange
Formathttp://datatracker.ietf.org/doc/draft-ietf-mile-rfc5070-bis/?include_text=1MAECMalware
Attribute Enumeration and
Characterizationhttp://maec.mitre.orgNDDMNetwork Defense Data
Models v0.4TM ForumOCILOpen Checklist Interactive
Languagehttp://scap.nist.gov/specifications/ocil/OVALOpen
Vulnerability and Assessment
Languagehttps://oval.mitre.org/RIDReal-time Inter-network
Defensehttp://tools.ietf.org/html/rfc6545SCAPSecurity Content
Automation Protocolhttp://scap.nist.gov/STIXStructured Threat
Information eXpressionhttp://stix.mitre.org/TAXIITrusted Automated
eXchange of Indicator
Informationhttp://taxii.mitre.org/VERISVocabulary for Event
Recording and Incident
Sharinghttp://veriscommunity.netXCCDFExtensible Configuration
Checklist Description
Formathttp://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdfXEP-0268http://xmpp.org/extensions/xep-0268.htmlYARAhttps://code.google.com/p/yara-project/
https://cve.mitre.org/index.htmlVOCABULARYVocabularyIDVocabularyNameVocabularyVersionVocabularyReferenceDateModified1STIX1http://stix.mitre.org/NULL2VERIS1.1http://www.veriscommunity.netNULL3ASSET
IDENTIFICATION1.1http://scap.nist.gov/specifications/ai/NULL4CAPEC2.1http://capec.mitre.org/NULL5SECURITY
BATTLEGROUNDNULLhttp://www.securitybattleground.comNULL6ThreatModelerNULLmyappsecurity.comNULL7CCE5.20130214http://cce.mitre.org/NULL8XCCDF1.2http://scap.nist.gov/specifications/xccdf/NULL9OVAL5.10.1https://oval.mitre.org/NULL10ARFNULLhttp://scap.nist.gov/specifications/arf/NULL11CybOX2http://cybox.mitre.org/NULL12MAECNULLhttp://maec.mitre.org/NULL13Risk
TaxonomyNULLThe Open GroupNULL14NDDMNULLNULLNULL15NIST SP
800-53NULLhttp://csrc.nist.gov/publications/PubsSPs.htmlNULL16FoundstoneNULLhttp://www.foundstone.comNULL17CAESARSNULLhttps://www.dhs.gov/xlibrary/assets/fns-caesars.pdfNULL18SANSNULLhttps://www.sans.org/NULL19OWASPNULLhttps://www.owasp.orgNULL20CWE2.5http://cwe.mitre.org/NULL21CPE2.2http://cpe.mitre.org/NULL
ACRONYMAcronymIDAcronymAbbreviationAcronymPhraseAcronymDescriptionVocabularyID1ADActive
DirectoryNULL172ADCActive Directory ComputerNULL173ADUActive
Directory UserNULL174AVRAnti-VirusNULL176CAESARSContinuous Asset
Evaluation, Situational Awareness, and Risk
ScoringNULL175CAGConsensus Audit GuidelinesNULL177CCECommon
Configuration EnumerationNULL178CERTComputer Emergency Response
TeamNULL179CIConfiguration ItemNULL1710CIOChief Information
OfficerNULL1711CISCenter for Internet SecurityNULL1712CISOComputer
Information Security OfficerNULL1713COTSCommercial
Off-The-ShelfNULL1714CPECommon Platform
EnumerationNULL1715CSAMCyber Security Assessment and
ManagementNULL1716CSCCritical Security ControlNULL1717CVECommon
Vulnerabilities and ExposuresNULL1718CWECommon Weakness
EnumerationNULL1720DBMSDatabase Management
SystemNULL1719DHSDepartment of Homeland SecurityNULL1721DISADefense
Information Systems AgencyNULL1722DOJDepartment of
JusticeNULL1723DOSDepartment of StateNULL1724ESBEnterprise Service
BusNULL1725FDCCFederal Desktop Core
ConfigurationNULL1726FIPSFederal Information Processing
StandardNULL1727FISMAFederal Information System Management
ActNULL1728FNSFederal Network SecurityNULL1729HTMLHypertext Markup
LanguageNULL1730IAInformation
AssuranceNULL1731IDIdentifierNULL1732ID/RIntrusion Detection and
ResponseNULL1733IDSIntrusion Detection SystemNULL1734IRSInternal
Revenue ServiceNULL1735ISSOInformation System Security
OfficerNULL1736ITInformation TechnologyNULL1738NACNetwork Admission
ControlNULL1737NISTNational Institute of Standards and
TechnologyNULL1739NSANational Security AgencyNULL1740NVDNational
Vulnerability DatabaseNULL1741OMBOffice of Management and
BudgetNULL1742OSOperating SystemNULL1743OVALOpen Vulnerability
Assessment LanguageNULL1745P.L.Public
LawNULL1744PATPatchNULL1746POA&MPlan of Action and
MilestonesNULL1747PWSPerformance Work StatementNULL1748RATRouter
Audit ToolNULL1749RBDRisk-Based DecisionNULL1750RFIRequest for
InformationNULL1751RFPRequest for ProposalNULL1752RMFRisk
Management FrameworkNULL1753SANSSysAdmin, Audit, Network, Security
(Institute)NULL1754SCAPSecurity Content Automation
ProtocolNULL1755SCMSecurity ComplianceNULL1756SCPMaRSecurity
Compliance Posture Monitoring and ReportingNULL1757SCRSecurity
Compliance ReportingNULL1758SMSSystems Management
ServerNULL1759SOAService Oriented ArchitectureNULL1760SOEStandard
Operating EnvironmentNULL1761SOWStatement of WorkNULL1762SPSpecial
PublicationNULL1763SQLStructured Query LanguageNULL1764SRRSecurity
Readiness ReviewNULL1765SSHSecure ShellNULL1766STIGSecurity
Technical Implementation GuideNULL1767SwASoftware
AssuranceNULL1768VPNVirtual Private
NetworkNULL1769VULVulnerabilityNULL1770VURVulnerability
ReportingNULL1771WANWide Area NetworkNULL1772WSWeb
ServiceNULL1773XCCDFExtensible Configuration Checklist Definition
FormatNULL1774XMLExtensible Markup LanguageNULL17
ACTIONARGUMENTNAMEActionArgumentNameIDActionArgumentNameNameActionArgumentNameDescriptionVocabularyID1APISpecifies
an argument called API.112Creation FlagsSpecifies an argument
called Creation Flags.113Access ModeSpecifies an argument called
Access Mode.114Share ModeSpecifies an argument called Share
Mode.115Callback AddressSpecifies an argument called Callback
Address.116Source AddressSpecifies an argument called Source
Address.117Destination AddressSpecifies an argument called
Destination Address.118Starting AddressSpecifies an argument called
Starting Address.119Size (bytes)Specifies an argument called Size
(bytes).1110Control ParameterSpecifies an argument called Control
Parameter.1111Host NameSpecifies an argument called Host
Name.1112Function NameSpecifies an argument called Function
Name.1113Function AddressSpecifies an argument called Function
Address.1114OptionsSpecifies an argument called
Options.1115Transfer FlagsSpecifies an argument called Transfer
Flags.1116Control CodeSpecifies an argument called Control
Code.1117APC ModeSpecifies an argument called APC Mode.1118APC
AddressSpecifies an argument called APC Address.1119Base
AddressSpecifies an argument called Base
Address.1120ProtectionSpecifies an argument called
Protection.1121Target PIDSpecifies an argument called Target
PID.1122Mapping OffsetSpecifies an argument called Mapping
Offset.1123File Information ClassSpecifies an argument called File
Information Class.1124Function OrdinalSpecifies an argument called
Function Ordinal.1125Hook TypeSpecifies an argument called Hook
Type.1126Request SizeSpecifies an argument called Request
Size.1127Service TypeSpecifies an argument called Service
Type.1128Service StateSpecifies an argument called Service
State.1129Group NameSpecifies an argument called Group
Name.1130HostnameSpecifies an argument called Hostname.1131Shutdown
FlagSpecifies an argument called Shutdown Flag.1132Sleep Time
(ms)Specifies an argument called Sleep Time (ms).1133Code
AddressSpecifies an argument called Code Address.1134Parameter
AddressSpecifies an argument called Parameter
Address.1135ServerSpecifies an argument called Server.11
ACTIONNAMEActionNameIDActionNameNameActionNameDescriptionVocabularyID1AcceptSpecifies
the atomic action of accepting an object or value.112Accept Socket
ConnectionSpecifies the defined action of accepting a socket
connection.113Add Connection to Network ShareSpecifies the defined
action of adding a connection to an existing network share.114Add
Network ShareSpecifies the defined action of adding a new network
share.115Add System Call HookSpecifies the defined action of adding
a new system call hook.116Add UserSpecifies the defined action of
adding a new user.117Add Windows HookSpecifies the defined action
of adding a new Windows hook.118Add Scheduled TaskSpecifies the
defined action of adding a scheduled task.119Allocate Virtual
Memory in ProcessSpecifies the defined action of allocating virtual
memory in a process.1110Bind Address to SocketSpecifies the defined
action of binding an address to a socket.1111Change Service
ConfigurationSpecifies the defined action of changing the service
configuration.1112Check for Remote DebuggerSpecifies the defined
action of checking for a remote debugger.1113Close PortSpecifies
the defined action of closing a port.1114Close Registry
KeySpecifies the defined action of closing a registry key.1115Close
SocketSpecifies the defined action of closing a
socket.1116Configure ServiceSpecifies the defined action of
configuring a service.1117Connect to IPSpecifies the defined action
of connecting to an IP address.1118Connect to Named PipeSpecifies
the defined action of connecting to a named pipe.1119Connect to
Network ShareSpecifies the defined action of connecting to a
network share.1120Connect to SocketSpecifies the defined action of
connecting to a socket.1121Connect to URLSpecifies the defined
action of connecting to a URL.1122Control DriverSpecifies the
defined action of controlling a driver.1123Control ServiceSpecifies
the defined action of controlling a service.1124Copy FileSpecifies
the defined action of copying a file.1125Create Dialog BoxSpecifies
the defined action of creating a dialog box.1126Create
DirectorySpecifies the defined action of creating a new
directory.1127Create EventSpecifies the defined action of creating
an event.1128Create FileSpecifies the defined action of creating a
file.1129Create File Alternate Data StreamSpecifies the defined
action of creating an alternate data stream in a file.1130Create
File MappingSpecifies the defined action of creating a new file
mapping.1131Create File Symbolic LinkSpecifies the defined action
of creating a file symbolic link.1132Create Hidden FileSpecifies
the defined action of creating a hidden file.1133Create
MailslotSpecifies the defined action of creating a
mailslot.1134Create ModuleSpecifies the defined action of creating
a module.1135Create MutexSpecifies the defined action of creating a
mutex.1136Create Named PipeSpecifies the defined action of creating
a named pipe.1137Create ProcessSpecifies the defined action of
creating a process.1138Create Process as UserSpecifies the defined
action of creating a process as user.1139Create Registry
KeySpecifies the defined action of creating a registry
key.1140Create Registry Key ValueSpecifies the defined action of
creating a registry key value.1141Create Remote Thread in
ProcessSpecifies the defined action of creating a remote thread in
a process.1142Create ServiceSpecifies the defined action of
creating a service.1143Create SocketSpecifies the defined action of
creating a socket.1144Create Symbolic LinkSpecifies the defined
action of creating a symbolic link.1145Create ThreadSpecifies the
defined action of creating a thread.1146Create WindowSpecifies the
defined action of creating a window.1147Delete DirectorySpecifies
the defined action of deleting a directory.1148Delete FileSpecifies
the defined action of deleting a file.1149Delete Named
PipeSpecifies the defined action of deleting a named
pipe.1150Delete Network ShareSpecifies the defined action of
deleting a network share.1151Delete Registry KeySpecifies the
defined action of deleting a registry key.1152Delete Registry Key
ValueSpecifies the defined action of deleting a registry key
value.1153Delete ServiceSpecifies the defined action of deleting a
service.1154Delete UserSpecifies the defined action of deleting a
user.1155Disconnect from Named PipeSpecifies the defined action of
disconnecting from a named pipe.1156Disconnect from Network
ShareSpecifies the defined action of disconnecting from a network
share.1157Disconnect from SocketSpecifies the defined action of
disconnecting from a socket.1158Download FileSpecifies the defined
action of downloading a file.1159Enumerate DLLsSpecifies the
defined action of enumerating DLLs.1160Enumerate Network
SharesSpecifies the defined action of enumerating network
shares.1161Enumerate ProtocolsSpecifies the defined action of
enumerating protocols.1162Enumerate Registry Key SubkeysSpecifies
the defined action of enumerating registry key
subkeys.1163Enumerate Registry Key ValuesSpecifies the defined
action of enumerating registry key values.1164Enumerate Threads in
ProcessSpecifies the defined action of enumerating threads in a
process.1165Enumerate ProcessesSpecifies the defined action of
enumerating processes.1166Enumerate ServicesSpecifies the defined
action of enumerating services.1167Enumerate System
HandlesSpecifies the defined action of enumerating system
handles.1168Enumerate ThreadsSpecifies the defined action of
enumerating threads.1169Enumerate UsersSpecifies the defined action
of enumerating users.1170Enumerate WindowsSpecifies the defined
action of enumerating windows.1171Find FileSpecifies the defined
action of finding a file.1172Find WindowSpecifies the defined
action of finding a window.1173Flush Process Instruction
CacheSpecifies the defined action of flushing the Process
Instruction Cache.1174Free LibrarySpecifies the defined action of
freeing a library.1175Free Process Virtual MemorySpecifies the
defined action of freeing virtual memory from a process.1176Get
Disk Free SpaceSpecifies the defined action of getting the amount
of free space available on a disk.1177Get Disk TypeSpecifies the
defined action of getting the disk type.1178Get Elapsed System Up
TimeSpecifies the defined action of getting the elapsed system
up-time.1179Get File AttributesSpecifies the defined action of
getting file attributes.1180Get Function AddressSpecifies the
defined action of getting the function address.1181Get System
Global FlagsSpecifies the defined action of getting the system
global flags.1182Get Host By AddressSpecifies the defined action of
getting host by address.1183Get Host By NameSpecifies the defined
action of getting host by name.1184Get Host NameSpecifies the
defined action of getting the host name.1185Get Library File
NameSpecifies the defined action of getting the library file
name.1186Get Library HandleSpecifies the defined action of getting
the library handle.1187Get NetBIOS NameSpecifies the defined action
of getting the NetBIOS name.1188Get Process Current
DirectorySpecifies the defined action of getting the process's
current directory.1189Get Process Environment VariableSpecifies the
defined action of getting the process environment variable.1190Get
Process Startup InformationSpecifies the defined action of getting
the process startup information.1191Get Processes SnapshotSpecifies
the defined action of getting the processes snapshot.1192Get
Registry Key AttributesSpecifies the defined action of getting the
attributes of a registry key.1193Get Service StatusSpecifies the
defined action of getting the service status.1194Get System Local
TimeSpecifies the defined action of getting the local time on a
system.1195Get System Host NameSpecifies the defined action of
getting the system host name.1196Get System NetBIOS NameSpecifies
the defined action of getting the NetBIOS name of a system.1197Get
System Network ParametersSpecifies the defined action of getting
the system network parameters.1198Get System TimeSpecifies the
defined action of getting the system time.1199Get Thread
ContextSpecifies the defined action of getting the thread
context.11100Get Thread UsernameSpecifies the defined action of
getting the thread username.11101Get User AttributesSpecifies the
defined action of getting the attributes of a user.11102Get
UsernameSpecifies the defined action of getting a username.11103Get
Windows DirectorySpecifies the defined action of getting a windows
directory.11104Get Windows System DirectorySpecifies the defined
action of getting a windows System directory.11105Get Windows
Temporary Files DirectorySpecifies the defined action of getting
the Windows Temporary Files Directory.11106Hide WindowSpecifies the
defined action of hiding a window.11107Impersonate ProcessSpecifies
the defined action of impersonating a process.11108Impersonate
ThreadSpecifies the defined action of impersonating a
thread.11109Inject Memory PageSpecifies the defined action of
injecting a memory page into a process.11110Kill ProcessSpecifies
the defined action of killing a process.11111Kill ThreadSpecifies
the defined action of killing a thread.11112Kill WindowSpecifies
the defined action of killing a window.11113Listen on PortSpecifies
the defined action of listening on a specific port.11114Listen on
SocketSpecifies the defined action of listening on a
socket.11115Load and Call DriverSpecifies the defined action of
loading and calling a driver.11116Load DriverSpecifies the defined
action of loading a driver.11117Load LibrarySpecifies the defined
action of loading a library.11118Load ModuleSpecifies the defined
action of loading a module.11119Lock FileSpecifies the defined
action of locking a file.11120Logon as UserSpecifies the defined
action of logging on as a user.11121Map FileSpecifies the defined
action of mapping a file.11122Map LibrarySpecifies the defined
action of mapping a library.11123Map View of FileSpecifies the
defined action of mapping a view of a file.11124Modify
FileSpecifies the defined action of modifying a file.11125Modify
Named PipeSpecifies the defined action of modifying a named
pipe.11126Modify ProcessSpecifies the defined action of modifying a
process.11127Modify ServiceSpecifies the defined action of
modifying a service.11128Modify Registry KeySpecifies the defined
action of modifying a registry key.11129Modify Registry Key
ValueSpecifies the defined action of modifying a registry key
value.11130Monitor Registry KeySpecifies the defined action of
monitoring a registry key.11131Move FileSpecifies the defined
action of moving a file.11132Open FileSpecifies the defined action
of opening a file.11133Open File MappingSpecifies the defined
action of opening a file mapping.11134Open MutexSpecifies the
defined action of opening a mutex.11135Open PortSpecifies the
defined action of opening a port.11136Open ProcessSpecifies the
defined action of opening a process.11137Open Registry KeySpecifies
the defined action of opening a registry key.11138Open
ServiceSpecifies the defined action of opening a service.11139Open
Service Control ManagerSpecifies the defined action of opening a
service control manager.11140Protect Virtual MemorySpecifies the
defined action of protecting virtual memory.11141Query Disk
AttributesSpecifies the defined action of querying disk
attributes.11142Query DNSSpecifies the defined action of querying
DNS.11143Query Process Virtual MemorySpecifies the defined action
of querying process virtual memory.11144Queue APC in
ThreadSpecifies the defined action of querying the Asynchronized
Procedure Call (APC) in the context of a thread.11145Read
FileSpecifies the defined action of reading a file.11146Read From
Named PipeSpecifies the defined action of reading from a named
pipe.11147Read From Process MemorySpecifies the defined action of
reading from process memory.11148Read Registry Key ValueSpecifies
the defined action of reading a registry key value.11149Receive
Data on SocketSpecifies the defined action of receiving data on a
socket.11150Release MutexSpecifies the defined action of releasing
a mutex.11151Rename FileSpecifies the defined action of renaming a
file.11152Revert Thread to SelfSpecifies the defined action of
reverting a thread to its self.11153Send Control Code to
FileSpecifies the defined action of sending a control code to a
file.11154Send Control Code to PipeSpecifies the defined action of
sending a control code to a pipe.11155Send Control Code to
ServiceSpecifies the defined action of sending control code to a
service.11156Send Data on SocketSpecifies the defined action of
sending data on a socket.11157Send Data to Address on
SocketSpecifies the defined action of sending data to the address
on a socket.11158Send DNS QuerySpecifies the defined action of
sending a DNS query.11159Send Email MessageSpecifies the defined
action of sending an email message.11160Send ICMP RequestSpecifies
the defined action of sending an ICMP request.11161Send Reverse DNS
QuerySpecifies the defined action of sending a reverse DNS
query.11162Set File AttributesSpecifies the defined action of
setting file attributes.11163Set NetBIOS NameSpecifies the defined
action of setting the NetBIOS name.11164Set Process Current
DirectorySpecifies the defined action of setting the process
current directory.11165Set Process Environment VariableSpecifies
the defined action of setting the process environment
variable.11166Set System Global FlagsSpecifies the defined action
of setting system global flags.11167Set System Host NameSpecifies
the defined action of setting the system host name.11168Set System
TimeSpecifies the defined action of setting the system
time.11169Set Thread ContextSpecifies the defined action of setting
the thread context.11170Show WindowSpecifies the defined action of
showing a window.11171Shutdown SystemSpecifies the defined action
of shutting down a system.11172Sleep ProcessSpecifies the defined
action of sleeping a process.11173Sleep SystemSpecifies the defined
action of sleeping a system.11174Start ServiceSpecifies the defined
action of starting a service.11175Unload DriverSpecifies the
defined action of unloading a driver.11176Unlock FileSpecifies the
defined action of unlocking a file.11177Unmap FileSpecifies the
defined action of unmapping a file.11178Unload ModuleSpecifies the
defined action of unloading a module.11179Upload FileSpecifies the
defined action of uploading a file.11180Write to FileSpecifies the
defined action of writing to a file.11181Write to Process Virtual
MemorySpecifies the defined action of writing to process virtual
memory.11
ACTIONOBJECTASSOCIATIONTYPEActionObjectAssociationTypeIDActionObjectAssociationTypeNameActionObjectAssociationTypeDescriptionVocabularyID1InitiatingSpecifies
that the associated object initiated the
action.112AffectedSpecifies that the associated object was affected
by the action.113UtilizedSpecifies that the associated object was
utilized by the action.114ReturnedSpecifies that the associated
object was the result of the action.11
ACTIONRELATIONSHIPTYPEActionRelationshipTypeIDActionRelationshipTypenameActionRelationshipTypeDescriptionVocabularyID1Preceded_BySpecifies
that this action is preceded by the related
action.112Followed_BySpecifies that this action is followed by the
related action.113Equivalent_ToSpecifies that this entity (e.g.
Action) is equivalent to the associated
entity.114Related_ToSpecifies that this action is simply related to
the related action in some way.115Dependent_OnSpecifies that this
action is dependent on the related action.116Initiated_BySpecifies
that this action was initiated by the related
action.117InitiatedSpecifies that this action initiated the related
action.11
ACTIONTYPEActionTypeIDActionTypeNameActionTypeDescriptionVocabularyID1AcceptSpecifies
the atomic action of accepting an object or
value.112AccessSpecifies the atomic action of accessing an
object.113AddSpecifies the atomic action of adding an
object.114AlertSpecifies the atomic action of issuing an
alert.115AllocateSpecifies the atomic action of allocating an
object.116ArchiveSpecifies the atomic action of archiving an object
or data.117AssignSpecifies the atomic action of assigning a value
to an object.118AuditSpecifies the atomic action of auditing an
object or data.119BackupSpecifies the atomic action of backing up
an object or data.1110BindSpecifies the atomic action of binding
two objects.1111BlockSpecifies the atomic action of blocking access
to an object or resource.1112CallSpecifies the atomic action of
calling an object or resource.1113ChangeSpecifies the atomic action
of changing an object.1114CheckSpecifies the atomic action of
checking an object.1115CleanSpecifies the atomic action of cleaning
an object, such as a file system.1116ClickSpecifies the atomic
action of clicking an object, as with a mouse.1117CloseSpecifies
the atomic action of closing an object, such as a window
handle.1118CompareSpecifies the atomic action of comparing two
objects.1119CompressSpecifies the atomic action of compressing an
object.1120ConfigureSpecifies the atomic action of configuring a
resource.1121ConnectSpecifies the atomic action of connecting to an
object, such as a service or resource.1122ControlSpecifies the
atomic action of controlling an object or
data.1123Copy/DuplicateSpecifies the atomic action of copying or
duplicating an object or data EXCEPT in cases where the object is
considered a thread or process as a whole.1124CreateSpecifies the
atomic action of creating an object or data.1125DecodeSpecifies the
atomic action of decoding an object or data.1126DecompressSpecifies
the atomic action of decompressing an object, such as an
archive.1127DecryptSpecifies the atomic action of decrypting an
object.1128DenySpecifies the atomic action of denying access to a
object or resource.1129DepressSpecifies the atomic action of
depressing an object that has been pressed, such a
button.1130DetectSpecifies the atomic action of detecting an
object.1131DisconnectSpecifies the atomic action of disconnecting
from a service or resource.1132DownloadSpecifies the atomic action
of downloading an object or data.1133DrawSpecifies the atomic
action of drawing an object.1134DropSpecifies the atomic action of
dropping an object, such as a connection.1135EncodeSpecifies the
atomic action of encoding an object or data.1136EncryptSpecifies
the atomic action of encrypting an object or
data.1137EnumerateSpecifies the atomic action of enumerating a list
of objects.1138ExecuteSpecifies the atomic action of executing an
object, such as an executable file.1139ExtractSpecifies the atomic
action of extracting an object.1140FilterSpecifies the atomic
action of filtering an object or data.1141FindSpecifies the atomic
action of finding an object or data.1142FlushSpecifies the atomic
action of flushing an object or data, such as a
cache.1143ForkSpecifies the atomic action of forking, as with a
process. Because this is usually associated with processes and
threads and does not generalize to objects, it is DIFFERENT from
Copy/Duplicate.1144FreeSpecifies the atomic action of freeing an
object.1145GetSpecifies the atomic action of getting a value from
an object.1146HookSpecifies the atomic action of hooking an object
to another object.1147HideSpecifies the atomic action of hiding an
object.1148ImpersonateSpecifies the atomic action of impersonation,
in which an object performs actions that assume the character or
appearance of another object.1149InitializeSpecifies the atomic
action of initializing an object.1150InjectSpecifies the atomic
action of injecting an object.1151InstallSpecifies the atomic
action of installing an object, such as an application, program,
patch, or other resource.1152InterleaveSpecifies the atomic action
of interleaving an object, i.e. the action of arranging data in a
non-contiguous way to increase performance.1153JoinSpecifies the
atomic action of joining one object to another object.
1154KillSpecifies the atomic action of killing an object, as with a
thread or program.1155ListenSpecifies the atomic action of
listening to an object, such as to a port on a network
connection.1156LoadSpecifies the atomic action of loading an
object. 1157LockSpecifies the atomic action of locking an object.
1158Login/LogonSpecifies the atomic action of logging into an
object, such as into a system or application.
1159Logout/LogoffSpecifies the atomic action of logging out of an
object, such as a system or application. 1160MapSpecifies the
atomic action of mapping an object to another object or data.
1161MergeSpecifies the atomic action of merging one object to
another object. 1162ModifySpecifies the atomic action of modifying
an object. 1163MonitorSpecifies the atomic action of monitoring the
state of an object.1164MoveSpecifies the atomic action of moving an
object.1165OpenSpecifies the atomic action of opening an
object.1166PackSpecifies the atomic action of packing an
object.1167PauseSpecifies the atomic action of pausing an object,
such as a thread or process.1168PressSpecifies the atomic action of
pressing an object, such as a button.1169ProtectSpecifies the
atomic action of protecting an object.1170QuarantineSpecifies the
atomic action of placing an object in quarantine, that is, to store
the object in an isolated area away from other objects it can
operate on.1171QuerySpecifies the atomic action of querying an
object.1172QueueSpecifies the atomic action of queueing an
object.1173RaiseSpecifies the atomic action of raising an
object.1174ReadSpecifies the atomic action of reading an
object.1175ReceiveSpecifies the atomic action of receiving an
object.1176ReleaseSpecifies the atomic action of releasing an
object.1177RenameSpecifies the atomic action of renaming an
object.1178Remove/DeleteSpecifies the atomic action of removing or
deleting an object.1179ReplicateSpecifies the atomic action of
replicating an object.1180RestoreSpecifies the atomic action of
restoring an object.1181ResumeSpecifies the atomic action of
resuming an object, as with a process or thread.1182RevertSpecifies
the atomic action of reverting an object.1183RunSpecifies the
atomic action of running an object, such as an
application.1184SaveSpecifies the atomic action of saving an
object.1185ScanSpecifies the atomic action of scanning for an
object or data.1186ScheduleSpecifies the atomic action of
scheduling an object, such as an event.1187SearchSpecifies the
atomic action of searching for an object.1188SendSpecifies the
atomic action of sending an object.1189SetSpecifies the atomic
action of setting an object to a value.1190ShutdownSpecifies the
atomic action of shutting down an object.1191SleepSpecifies the
atomic action of putting to sleep an object.1192SnapshotSpecifies
the atomic action taking a snapshot of an object.1193StartSpecifies
the atomic action of starting an object, such as a thread or
process.1194StopSpecifies the atomic action of stopping an object,
such as a thread or process.1195SuspendSpecifies the atomic action
of suspending an object, such an account or privileges for an
account.1196SynchronizeSpecifies the atomic action of synchronizing
an object.1197ThrowSpecifies the atomic action of throwing an
object, such as an exception in a programming
language.1198TransmitSpecifies the atomic action of transmitting an
object.1199UnblockSpecifies the atomic action of unblocking an
object.11100UnhideSpecifies the atomic action of unhiding an
object.11101UnhookSpecifies the atomic action of unhooking an
object from another object, that is, to
detach.11102UninstallSpecifies the atomic action of uninstalling an
object.11103UnloadSpecifies the atomic action of unloading an
object.11104UnlockSpecifies the atomic action of unlocking an
object.11105UnmapSpecifies the atomic action of unmapping an object
from another object or data.11106UnpackSpecifies the atomic action
of unpacking an object, such as an archive.11107UpdateSpecifies the
atomic action of updating an object.11108UpgradeSpecifies the
atomic action of upgrading an object.11109UploadSpecifies the
atomic action of uploading an
object.11110Wipe/Destroy/PurgeSpecifies the atomic action of
wiping, destroying, or purging an object.11111WriteSpecifies the
atomic action of writing an object.11
ARTIFACTTYPEArtifactTypeIDArtifactTypeNameArtifactTypeDescriptionVocabularyID1FileThe
File value specifies that the artifact is a file.112Memory
RegionThe Memory Region value specifies that the artifact is a
block of data from a region of memory.113File System FragmentThe
File System Fragment value specifies that the artifact is a block
of data from a file system.114Network TrafficThe Network Traffic
value specifies that the artifact is a block of network traffic
data such as PCAP.115Generic Data RegionThe Generic Data Region
value specifies that the artifact is a block of data from an
unknown source.11
ASSETLOCATIONAssetLocationIDAssetLocationTypeAssetLocationDescriptionVocabularyID1Internally-LocatedThe
asset is located internally.12Externally-LocatedThe asset is
located externally.13Co-LocatedThe asset is co-located.14MobileThe
asset is mobile.15UnknownThe asset location is unknown.1
ASSETVARIETYAssetVarietyIDAssetVarietyNameAssetVarietyDescriptionVocabularyID1S
- AuthenticationNULL22S - BackupNULL23S - DatabaseNULL24S -
DHCPNULL25S - DirectoryNULL26S - DCSNULL27S - DNSNULL28S -
FileNULL29S - LogNULL210S - MailNULL211S - MainframeNULL212S -
Payment switchNULL213S - POS controllerNULL214S - PrintNULL215S -
ProxyNULL216S - Remote accessNULL217S - SCADANULL218S - Web
applicationNULL219S - VM hostNULL220S - Other serverNULL221S -
OtherNULL222N - Access readerNULL223N - CameraNULL224N -
FirewallNULL225N - HSMNULL226N - IDSNULL227N - BroadbandNULL228N -
PBXNULL229N - Private WANNULL230N - PLCNULL231N - Public
WANNULL232N - RTUNULL233N - Router or switchNULL234N - SANNULL235N
- TelephoneNULL236N - VoIP adapterNULL237N - LANNULL238N -
WLANNULL239N - OtherNULL240U - Auth tokenNULL241U - ATMNULL242U -
DesktopNULL243U - PED padNULL244U - Gas terminalNULL245U -
LaptopNULL246U - MediaNULL247U - Mobile phoneNULL248U -
PeripheralNULL249U - POS terminalNULL250U - KioskNULL251U -
TabletNULL252U - TelephoneNULL253U - VoIP phoneNULL254U -
OtherNULL255M - TapesNULL256M - Disk mediaNULL257M -
DocumentsNULL258M - Flash driveNULL259M - Disk driveNULL260M -
Smart cardNULL261M - Payment cardNULL262M - OtherNULL263P - System
adminNULL264P - AuditorNULL265P - Call centerNULL266P -
CashierNULL267P - CustomerNULL268P - DeveloperNULL269P -
End-userNULL270P - ExecutiveNULL271P - FinanceNULL272P - Former
employeeNULL273P - GuardNULL274P - HelpdeskNULL275P - Human
resourcesNULL276P - MaintenanceNULL277P - ManagerNULL278P -
PartnerNULL279P - OtherNULL2
ASSETMANAGEMENTAssetManagementIDManagementTypeManagementDescriptionVocabularyID1Internally-ManagedThe
asset is managed internally.12Externally-ManagementThe asset is
managed externally.13Co-ManagementThe asset is
co-managed.14UnknownThe asset management class is unknown.1
ATTACKCONSEQUENCESCOPEAttackConsequenceScopeIDConsequenceScopeVocabularyID1Confidentiality42Access_Control43Authorization44Availability45Integrity46Accountability47Authentication48Non-Repudiation4
ATTACKPATTERNAttackPatternIDcapec_idAttackPatternNameAttackPatternDescriptionAttackPatternDescriptionRawPatternAbstractionPatternCompletenessPatternStatusTypicalSeverity1CAPEC-1Accessing
Functionality Not Properly Constrained by ACLsIn applications,
particularly web applications, access to functionality is mitigated
by the authorization framework, whose job it is to map ACLs to
elements of the application's functionality; particularly URL's for
web apps. In the case that the application deployer failed to
specify an ACL for a particular element, an attacker may be able to
access it with impunity. An attacker with the ability to access
functionality not properly constrained by ACLs can obtain sensitive
information and possibly compromise the entire application. Such an
attacker can access resources that must be available only to users
at a higher privilege level, can access management sections of the
application or can run queries for data that he is otherwise not
supposed to.NULLStandardCompleteDraftHigh2CAPEC-10Buffer Overflow
via Environment VariablesThis attack pattern involves causing a
buffer overflow through manipulation of environment variables. Once
the attacker finds that they can modify an environment variable,
they may try to overflow associated buffers. This attack leverages
implicit trust often placed in environment
variables.NULLDetailedCompleteDraftHigh3CAPEC-100Overflow
BuffersBuffer Overflow attacks target improper or missing bounds
checking on buffer operations, typically triggered by input
injected by an attacker. As a consequence, an attacker is able to
write past the boundaries of allocated buffer regions in memory,
causing a program crash or potentially redirection of execution as
per the attacker's choice.NULLStandardCompleteDraftVery
High4CAPEC-101Server Side Include (SSI) InjectionAn attacker can
use Server Side Include (SSI) Injection to send code to a web
application that then gets executed by the web server. Doing so
enables the attacker to achieve similar results to Cross Site
Scripting, viz., arbitrary code execution and information
disclosure, albeit on a more limited scale, since the SSI
directives are nowhere near as powerful as a full-fledged scripting
language. Nonetheless, the attacker can conveniently gain access to
sensitive files, such as password files, and execute shell
commands.NULLStandardCompleteDraftHigh5CAPEC-102Session
SidejackingSession sidejacking takes advantage of an unencrypted
communication channel between a victim and target system. The
attacker sniffs traffic on a network looking for session tokens in
unencrypted traffic. Once a session token is captured, the attacker
performs malicious actions by using the stolen token with the
targeted application to impersonate the
victim.NULLStandardCompleteDraftHigh6CAPEC-103ClickjackingIn a
clickjacking attack the victim is tricked into unknowingly
initiating some action in one system while interacting with the UI
from seemingly completely different system. While being logged in
to some target system, the victim visits the attacker's malicious
site which displays a UI that the victim wishes to interact with.
In reality, the clickjacked page has a transparent layer above the
visible UI with action controls that the attacker wishes the victim
to execute. The victim clicks on buttons or other UI elements they
see on the page which actually triggers the action controls in the
transparent overlaying layer. Depending on what that action control
is, the attacker may have just tricked the victim into executing
some potentially privileged (and most certainly undesired)
functionality in the target system to which the victim is
authenticated. The basic problem here is that there is a dichotomy
between what the victim thinks he's clicking on versus what he or
she is actually clicking
on.NULLStandardCompleteDraftHigh7CAPEC-104Cross Zone ScriptingAn
attacker is able to cause a victim to load content into their
web-browser that bypasses security zone controls and gain access to
increased privileges to execute scripting code or other web objects
such as unsigned ActiveX controls or applets. This is a privilege
elevation attack targeted at zone-based web-browser security. In a
zone-based model, pages belong to one of a set of zones
corresponding to the level of privilege assigned to that page.
Pages in an untrusted zone would have a lesser level of access to
the system and/or be restricted in the types of executable content
it was allowed to invoke. In a cross-zone scripting attack, a page
that should be assigned to a less privileged zone is granted the
privileges of a more trusted zone. This can be accomplished by
exploiting bugs in the browser, exploiting incorrect configuration
in the zone controls, through a cross-site scripting attack that
causes the attacker's content to be treated as coming from a more
trusted page, or by leveraging some piece of system functionality
that is accessible from both the trusted and less trusted zone.
This attack differs from "Restful Privilege Escalation" in that the
latter correlates to the inadequate securing of RESTful access
methods (such as HTTP DELETE) on the server, while cross-zone
scripting attacks the concept of security zones as implemented by a
browser.NULLStandardCompleteDraftHigh8CAPEC-105HTTP Request
SplittingHTTP Request Splitting (also known as HTTP Request
Smuggling) is an attack pattern where an attacker attempts to
insert additional HTTP requests in the body of the original
(enveloping) HTTP request in such a way that the browser interprets
it as one request but the web server interprets it as
two.NULLStandardCompleteDraftHigh9CAPEC-106Cross Site Scripting
through Log FilesAn attacker may leverage a system weakness where
logs are susceptible to log injection to insert scripts into the
system's logs. If these logs are later viewed by an administrator
through a thin administrative interface and the log data is not
properly HTML encoded before being written to the page, the
attacker's scripts stored in the log will be executed in the
administrative interface with potentially serious consequences.
This attack pattern is really a combination of two other attack
patterns: log injection and stored cross site
scripting.NULLStandardCompleteDraftHigh10CAPEC-107Cross Site
TracingCross Site Tracing (XST) enables an attacker to steal the
victim's session cookie and possibly other authentication
credentials transmitted in the header of the HTTP request when the
victim's browser communicates to destination system's web server.
The attacker first gets a malicious script to run in the victim's
browser that induces the browser to initiate an HTTP TRACE request
to the web server. If the destination web server allows HTTP TRACE
requests, it will proceed to return a response to the victim's web
browser that contains the original HTTP request in its body. The
function of HTTP TRACE, as defined by the HTTP specification, is to
echo the request that the web server receives from the client back
to the client. Since the HTTP header of the original request had
the victim's session cookie in it, that session cookie can now be
picked off the HTTP TRACE response and sent to the attacker's
malicious site. XST becomes relevant when direct access to the
session cookie via the "document.cookie" object is disabled with
the use of httpOnly attribute which ensures that the cookie can be
transmitted in HTTP requests but cannot be accessed in other ways.
Using SSL does not protect against
XST.NULLStandardCompleteDraftVery High11CAPEC-108Command Line
Execution through SQL InjectionAn attacker uses standard SQL
injection methods to inject data into the command line for
execution. This could be done directly through misuse of directives
such as MSSQL_xp_cmdshell or indirectly through injection of data
into the database that would be interpreted as shell commands.
Sometime later, an unscrupulous backend application (or could be
part of the functionality of the same application) fetches the
injected data stored in the database and uses this data as command
line arguments without performing proper validation. The malicious
data escapes that data plane by spawning new commands to be
executed on the host.NULLStandardCompleteDraftVery
High12CAPEC-109Object Relational Mapping InjectionAn attacker
leverages a weakness present in the database access layer code
generated with an Object Relational Mapping (ORM) tool or a
weakness in the way that a developer used a persistence framework
to inject his or her own SQL commands to be executed against the
underlying database. The attack here is similar to plain SQL
injection, except that the application does not use JDBC to
directly talk to the database, but instead it uses a data access
layer generated by an ORM tool or framework (e.g. Hibernate). While
most of the time code generated by an ORM tool contains safe access
methods that are immune to SQL injection, sometimes either due to
some weakness in the generated code or due to the fact that the
developer failed to use the generated access methods properly, SQL
injection is still
possible.NULLStandardCompleteDraftHigh13CAPEC-11Cause Web Server
MisclassificationAn attack of this type exploits a Web server's
decision to take action based on filename or file extension.
Because different file types are handled by different server
processes, misclassification may force the Web server to take
unexpected action, or expected actions in an unexpected sequence.
This may cause the server to exhaust resources, supply debug or
system data to the attacker, or bind an attacker to a remote
process.NULLStandardCompleteDraftHigh14CAPEC-110SQL Injection
through SOAP Parameter TamperingAn attacker modifies the parameters
of the SOAP message that is sent from the service consumer to the
service provider to initiate a SQL injection attack. On the service
provider side, the SOAP message is parsed and parameters are not
properly validated before being used to access a database in a way
that does not use parameter binding, thus enabling the attacker to
control the structure of the executed SQL query. This pattern
describes a SQL injection attack with the delivery mechanism being
a SOAP message.NULLStandardCompleteDraftVery High15CAPEC-111JSON
Hijacking (aka JavaScript Hijacking)An attacker targets a system
that uses JavaScript Object Notation (JSON) as a transport
mechanism between the client and the server (common in Web 2.0
systems using AJAX) to steal possibly confidential information
transmitted from the server back to the client inside the JSON
object by taking advantage of the loophole in the browser's Same
Origin Policy that does not prohibit JavaScript from one website to
be included and executed in the context of another
website.NULLDetailedCompleteDraftHigh16CAPEC-112Brute ForceIn this
attack, some asset (information, functionality, identity, etc.) is
protected by a finite secret value. The attacker attempts to gain
access to this asset by using trial-and-error to exhaustively
explore all the possible secret values in the hope of finding the
secret (or a value that is functionally equivalent) that will
unlock the asset. Examples of secrets can include, but are not
limited to, passwords, encryption keys, database lookup keys, and
initial values to one-way
functions.NULLStandardCompleteDraftHigh17CAPEC-113API
Abuse/MisuseAn attacker manipulates the processing of Application
Programming Interface (API) resulting in the API's function having
an adverse impact upon the security of the system or application
implementing the API. This can allow the attacker to execute
functionality not intended by the API implementation, possibly
compromising the system or application which integrates the API.
API Abuse can take on a number of forms. For example, the API may
trust that the calling function properly validates its data and
thus it may be manipulated by supplying metacharacters or alternate
encodings as input, resulting in any number of injection flaws,
including SQL injection, cross-site scripting, or command
execution. Another example could be API methods that should be
disabled in a production application but were not, thus exposing
dangerous functionality within a production
environment.NULLStandardStubDraftMedium18CAPEC-114Authentication
AbuseAn attacker obtains unauthorized access to an application,
service or device either through knowledge of the inherent
weaknesses of an authentication mechanism, or by exploiting a flaw
in the authentication scheme's implementation. In such an attack an
authentication mechanism is functioning but a carefully controlled
sequence of events causes the mechanism to grant access to the
attacker. This attack may exploit assumptions made by the target's
authentication procedures, such as assumptions regarding trust
relationships or assumptions regarding the generation of secret
values. This attack differs from Authentication Bypass attacks in
that Authentication Abuse allows the attacker to be certified as a
valid user through illegitimate means, while Authentication Bypass
allows the user to access protected material without ever being
certified as an authenticated user. This attack does not rely on
prior sessions established by successfully authenticating users, as
relied upon for the "Exploitation of Session Variables, Resource
IDs and other Trusted Credentials" attack
patterns.NULLStandardStubDraftMedium19CAPEC-115Authentication
BypassAn attacker gains access to application, service, or device
with the privileges of an authorized or privileged user by evading
or circumventing an authentication mechanism. The attacker is
therefore able to access protected data without authentication ever
having taken place. This refers to an attacker gaining access
equivalent to an authenticated user without ever going through an
authentication procedure. This is usually the result of the
attacker using an unexpected access procedure that does not go
through the proper checkpoints where authentication should occur.
For example, a web site might assume that all users will click
through a given link in order to get to secure material and simply
authenticate everyone that clicks the link. However, an attacker
might be able to reach secured web content by explicitly entering
the path to the content rather than clicking through the
authentication link, thereby avoiding the check entirely. This
attack pattern differs from other uthentication attacks in that
attacks of this pattern avoid authentication entirely, rather than
faking authentication by exploiting flaws or by stealing
credentials from legitimate
users.NULLStandardStubDraftMedium20CAPEC-116Data Excavation
AttacksAn attacker probes the target in a manner that is designed
to solicit information relevant to system security. This is
achieved by sending data that is syntactically invalid or
non-standard relative to a given service, protocol, or
expected-input, or by exploring the target via ordinary
interactions for the purpose of gathering intelligence about the
target. As a result the attacker is able to obtain information from
the target that aids the attacker in making inferences about its
security, configuration, or potential vulnerabilities. Some
exchanges witht the target may trigger unhandled exceptions or
verbose error messages. When this happens error messages may reveal
information like stack traces, configuration information, path
information, or database messages. This type of attack also
includes manipulation of query strings in a URI, such as by
attemtping to produce invalid SQL queries or by trying alternative
path values, in the hope that the server will return useful
information. This attack differs from Data Interception and other
data collection attacks in that the attacker actively queries the
target rather than simply watching for the target to reveal
information.NULLStandardStubDraftMedium21CAPEC-117Data Interception
AttacksAn attacker monitors data streams to or from a target in
order to gather information. This attack may be undertaken to
gather information to support a later attack or the data collected
may be the end goal of the attack. This attack usually involves
sniffing network traffic, but may include observing other types of
data streams, such as radio. In most varieties of this attack, the
attacker is passive and simply observes regular communication,
however in some variants the attacker may attempt to initiate the
establishment of a data stream or influence the nature of the data
transmitted. However, in all variants of this attack, and
distinguishing this attack from other data collection methods, the
attacker is not the intended recipient of the data stream. Unlike
some other data leakage attacks, the attacker is observing explicit
data channels (e.g. network traffic) and reading the content. This
differs from attacks that collect more qualitative information,
such as communication volume, or other information not explicitly
communicated via a data
stream.NULLStandardStubDraftMedium22CAPEC-12Choosing a
Message/Channel Identifier on a Public/Multicast ChannelAttackers
aware that more data is being fed into a multicast or public
information distribution means can 'select' information bound only
for another client, even if the distribution means itself forces
users to authenticate in order to connect
initally.NULLStandardCompleteDraftHigh23CAPEC-120Double EncodingThe
attacker utilizes a repeating of the encoding process for a set of
characters (that is, character encoding a character encoding of a
character) to obfuscate the payload of a particular request. The
may allow the attacker to bypass filters that attempt to detect
illegal characters or strings, such as might be used in traversal
or injection attacks. Filters may be able to catch illegal encoded
strings but may not catch doubly encoded strings. For example, a
dot (.), often used in path traversal attacks and therefore often
blocked by filters, could be URL encoded as %2E. However, many
filters recognize this encoding and would still block the request.
In a double encoding, the % in the above URL encoding would be
encoded again as %25, resulting in %252E which some filters might
not catch, but which could still be interpreted as a dot (.) by
interpreters on the
target.NULLStandardStubDraftMedium24CAPEC-121Locate and Exploit
Test APIsAn attacker exploits a sample, demonstration, or test API
that is insecure by default and should not be resident on
production systems. Some applications include APIs that are
intended to allow an administrator to test and refine their domain.
These APIs should usually be disabled once a system enters a
production environment. Testing APIs may expose a great deal of
diagnostic information intended to aid an administrator, but which
can also be used by an attacker to further refine their attack.
Moreover, testing APIs may not have adequate security controls or
may not have undergone rigorous testing since they were not
intended for use in production environments. As such, they may have
many flaws and vulnerabilities that would allow an attacker to
severely disrupt a
target.NULLStandardStubDraftHigh25CAPEC-122Exploitation of
AuthorizationAn attacker is able to exploit features of the target
that should be reserved for privileged users or administrators but
are exposed to use by lower or non-privileged accounts. Access to
sensitive information and functionality must be controlled to
ensure that only authorized users are able to access these
resources. If access control mechanisms are absent or
misconfigured, a user may be able to access resources that are
intended only for higher level users. An attacker may be able to
exploit this to utilize a less trusted account to gain information
and perform activities reserved for more trusted accounts. This
attack differs from privilege escalation and other privilege
stealing attacks in that the attacker never actually escalates
their privileges but instead is able to use a lesser degree of
privilege to access resources that should be (but are not) reserved
for higher privilege accounts. Likewise, the attacker does not
exploit trust or subvert systems - all control functionality is
working as configured but the configuration does not adequately
protect sensitive resources at an appropriate
level.NULLStandardStubDraftMedium26CAPEC-123Buffer AttacksAn
attacker manipulates a data buffer to change the execution flow of
a process to a sequence of events the attacker controls. Data
buffers in software applications provide a storage-space for
external input. Buffer attacks provide input the buffer cannot
correctly handle. Buffer attacks are distinguished in that it is
the buffer space itself that is the target of the attack rather
than any code responsible for interpreting the content of the
buffer. In virtually all buffer attacks the content that is placed
in the buffer by the user is immaterial. Instead, most buffer
attacks involve providing more input than the buffer can store,
resulting in the overwriting of other program memory or even the
program stack with user supplied
input.NULLStandardStubDraftMedium27CAPEC-124Attack through Shared
DataAn attacker exploits a data structure shared between multiple
applications or an application pool to affect application behavior.
Data may be shared between multiple applications or between
multiple threads of a single application. Data sharing is usually
accomplished through mutual access to a single memory location. If
an attacker can manipulate this shared data (usually by co-opting
one of the applications or threads) the other applications or
threads using the shared data will often continue to trust the
validity of the compromised shared data and use it in their
calculations. This can result in invalid trust assumptions,
corruption of additional data through the normal operations of the
other users of the shared data, or even cause a crash or compromise
of the sharing
applications.NULLStandardStubDraftMedium28CAPEC-125Resource
Depletion through FloodingAn attacker consumes the resources of a
target by rapidly engaging in a large number of interactions with
the target. This type of attack generally exposes a weakness in
rate limiting or flow control in management of interactions. Since
each request consumes some of the target's resources, if a
sufficiently large number of requests must be processed at the same
time then the target's resources can be
exhausted.NULLStandardStubDraftMedium29CAPEC-127Directory
IndexingAn attacker crafts a request to a target that results in
the target listing/indexing the content of a directory as output.
One common method of triggering directory contents as output is to
construct a request containing a path that terminates in a
directory name rather than a file name since many applications are
configured to provide a list of the directory's contents when such
a request is received. An attacker can use this to explore the
directory tree on a target as well as learn the names of files.
This can often end up revealing test files, backup files, temporary
files, hidden files, configuration files, user accounts, script
contents, as well as naming conventions, all of which can be used
by an attacker to mount additional
attacks.NULLStandardCompleteDraftMedium30CAPEC-128Integer AttacksAn
attacker takes advantage of the structure of integer variables to
cause these variables to assume values that are not expected by an
application. For example, adding one to the largest positive
integer in a signed integer variable results in a negative number.
Negative numbers may be illegal in an application and the
application may prevent an attacker from providing them directly,
but the application may not consider that adding two positive
numbers can create a negative number do to the structure of integer
storage formats.NULLStandardStubDraftMedium31CAPEC-129Pointer
AttackThis attack involves an attacker manipulating a pointer
within a target application resulting in the application accessing
an unintended memory location. This can result in the crashing of
the application or, for certain pointer values, access to data that
would not normally be possible or the execution of arbitrary code.
Since pointers are simply integer variables, Integer Attacks may
often be used in Pointer
Attacks.NULLStandardStubDraftMedium32CAPEC-13Subverting Environment
Variable ValuesThe attacker directly or indirectly modifies
environment variables used by or controlling the target software.
The attacker's goal is to cause the target software to deviate from
its expected operation in a manner that benefits the
attacker.NULLStandardCompleteDraftVery High33CAPEC-130Resource
Depletion through AllocationAn attacker causes the target to
allocate excessive resources to servicing the attacker's request,
thereby reducing the resources available for legitimate services
and degrading or denying services. Usually, this attack focuses on
memory allocation, but any finite resource on the target could be
the attacked, including bandwidth, processing cycles, or other
resources. This attack does not attempt to force this allocation
through a large number of requests (that would be Resource
Depletion through Flooding) but instead uses one or a small number
of requests that are carefully formatted to force the target to
allocate excessive resources to service this request(s). Often this
attack takes advantage of a bug in the target to cause the target
to allocate resources vastly beyond what would be needed for a
normal request. For example, using an Integer Attack, the attacker
could cause a variable that controls allocation for a request to
hold an excessively large value. Excessive allocation of resources
can render a service degraded or unavailable to legitimate users
and can even lead to crashing of the
target.NULLStandardStubDraftMedium34CAPEC-131Resource Depletion
through LeakAn attacker utilizes a resource leak on the target to
deplete the quantity of the resource available to service
legitimate requests. Resource leaks most often come in the form of
memory leaks where memory is allocated but never released after it
has served its purpose, however, theoretically, any other resource
that can be reserved can be targeted if the target fails to release
the reservation when the reserved resource block is no longer
needed. In this attack, the attacker determines what activity
results in leaked resources and then triggers that activity on the
target. Since some leaks may be small, this may require a large
number of requests by the attacker. However, this attack differs
from a flooding attack in that the rate of requests is generally
not significant. This is because the lost resources due to the leak
accumulate until the target is reset, usually by restarting it.
Thus, a resource-poor attacker who would be unable to flood the
target can still utilize this
attack.NULLStandardStubDraftMedium35CAPEC-132Symlink AttackAn
attacker positions a symbolic link in such a manner that the
targeted user or application accesses the link's endpoint, assuming
that it is accessing a file with the link's name. The endpoint file
may be either output or input. If the file is output, the result is
that the endpoint is modified, instead of a file at the intended
location. Modifications to the endpoint file may include appending,
overwriting, corrupting, changing permissions, or other
modifications. In some variants of this attack the attacker may be
able to control the change to a file while in other cases they
cannot. The former is especially damaging since the attacker may be
able to grant themselves increased privileges or insert false
information, but the latter can also be damaging as it can expose
sensitive information or corrupt or destroy vital system or
application files. Alternatively, the endpoint file may serve as
input to the targeted application. This can be used to feed
malformed input into the target or to cause the target to process
different information, possibly allowing the attacker to control
the actions of the target or to cause the target to expose
information to the attacker. Moreover, the actions taken on the
endpoint file are undertaken with the permissions of the targeted
user or application, which may exceed the permissions that the
attacker would normally
have.NULLStandardCompleteDraftHigh36CAPEC-133Try All Common
Application Switches and OptionsAn attacker attempts to invoke all
common switches and options in the target application for the
purpose of discovering weaknesses in the target. For example, in
some applications, adding a --debug switch causes debugging
information to be displayed, which can sometimes reveal sensitive
processing or configuration information to an attacker. This attack
differs from other forms of API abuse in that the attacker is
blindly attempting to invoke options in the hope that one of them
will work rather than specifically targeting a known option.
Nonetheless, even if the attacker is familiar with the published
options of a targeted application this attack method may still be
fruitful as it might discover unpublicized
functionality.NULLStandardStubDraftMedium37CAPEC-134Email
InjectionAn attacker manipulates the headers and content of an
email message by injecting data via the use of delimeter characters
native to the protocol. Many applications allow users to send email
messages by filling in fields. For example, a web site may have a
link to "share this site with a friend" where the user provides the
recipient's email address and the web application fills out all the
other fields, such as the subject and body. In this pattern, an
attacker adds header and body information to an email message by
injecting additional content in an input field used to construct a
header of the mail message. This attack takes advantage of the fact
that RFC 822 requires that headers in a mail message be separated
by a carriage return. As a result, an attacker can inject new
headers or content simply by adding a delimiting carriage return
and then supplying the new heading and body information. This
attack will not work if the user can only supply the message body
since a carriage return in the body is treated as a normal
character.NULLStandardStubDraftMedium38CAPEC-135Format String
InjectionAn attacker includes formatting characters in a string
input field on the target application. Most applications assume
that users will provide static text and may respond unpredictably
to the presence of formatting character. For example, in certain
functions of the C programming languages such as printf, the
formatting character %s will print the contents of a memory
location expecting this location to identify a string and the
formatting character %n prints the number of DWORD written in the
memory. An attacker can use this to read or write to memory
locations or files, or simply to manipulate the value of the
resulting text in unexpected ways. Reading or writing memory may
result in program crashes and writing memory could result in the
execution of arbitrary code if the attacker can write to the
program stack.NULLStandardCompleteDraftHigh39CAPEC-136LDAP
InjectionAn attacker manipulates or crafts an LDAP query for the
purpose of undermining the security of the target. Some
applications use user input to create LDAP queries that are
processed by an LDAP server. For example, a user might provide
their username during authentication and the username might be
inserted in an LDAP query during the authentication process. An
attacker could use this input to inject additional commands into an
LDAP query that could disclose sensitive information. For example,
entering a * in the aforementioned query might return information
about all users on the system. This attack is very similar to an
SQL injection attack in that it manipulates a query to gather
additional information or coerce a particular return
value.NULLStandardCompleteDraftHigh40CAPEC-137Parameter InjectionAn
attacker exploits weaknesses in input validation by manipulating
the content of request parameters for the purpose of undermining
the security of the target. Some parameter encodings use text
characters as separators. For example, parameters in a HTTP GET
message are encoded as name-value pairs separated by an ampersand
(&). If an attacker can supply text strings that are used to
fill in these parameters, then they can inject special characters
used in the encoding scheme to add or modify parameters. For
example, if user input is fed directly into an HTTP GET request and
the user provides the value "myInput&new_param=myValue", then
the input parameter is set to myInput, but a new parameter
(new_param) is also added with a value of myValue. This can
significantly change the meaning of the query that is processed by
the server. Any encoding scheme where parameters are identified and
separated by text characters is potentially vulnerable to this
attack - the HTTP GET encoding used above is just one
example.NULLStandardStubDraftMedium41CAPEC-138Reflection
InjectionAn attacker supplies a value to the target application
which is then used by reflection methods to identify a class,
method, or field. For example, in the Java programming language the
reflection libraries permit an application to inspect, load, and
invoke classes and their components by name. If an attacker can
control the input into these methods including the name of the
class/method/field or the parameters passed to methods, they can
cause the targeted application to invoke incorrect methods, read
random fields, or even to load and utilize malicious classes that
the attacker created. This can lead to the application revealing
sensitive information, returning incorrect results, or even having
the attacker take control of the targeted
application.NULLStandardStubDraftVery High42CAPEC-139Relative Path
TraversalAn attacker exploits a weakness in input validation on the
target by supplying a specially constructed path utilizing dot and
slash characters for the purpose of obtaining access to arbitrary
files or resources. An attacker modifies a known path on the target
in order to reach material that is not available through intended
channels. These attacks normally involve adding additional path
separators (/ or \) and/or dots (.), or encodings thereof, in
various combinations in order to reach parent directories or
entirely separate trees of the target's directory
structure.NULLStandardCompleteDraftHigh43CAPEC-14Client-side
Injection-induced Buffer OverflowThis type of attack exploits a
buffer overflow vulnerability in targeted client software through
injection of malicious content from a custom-built hostile
service.NULLDetailedCompleteDraftHigh44CAPEC-140Bypassing of
Intermediate Forms in Multiple-Form SetsSome web applications
require users to submit information through an ordered sequence of
web forms. This is often done if there is a very large amount of
information being collected or if information on earlier forms is
used to pre-populate fields or determine which additional
information the application needs to collect. An attacker who knows
the names of the various forms in the sequence may be able to
explicitly type in the name of a later form and navigate to it
without first going through the previous forms. This can result in
incomplete collection of information, incorrect assumptions about
the information submitted by the attacker, or other problems that
can impair the functioning of the
application.NULLStandardStubDraftMedium45CAPEC-141Cache PoisoningAn
attacker exploits the functionality of cache technologies to cause
specific data to be cached that aids the attackers' objectives.
This describes any attack whereby an attacker places incorrect or
harmful material in cache. The targeted cache can be an
application's cache (e.g. a web browser cache) or a public cache
(e.g. a DNS or ARP cache). Until the cache is refreshed, most
applications or clients will treat the corrupted cache value as
valid. This can lead to a wide range of exploits including
redirecting web browsers towards sites that install malware and
repeatedly incorrect calculations based on the incorrect
value.NULLStandardCompleteDraftHigh46CAPEC-142DNS Cache PoisoningA
domain name server translates a domain name (such as
www.example.com) into an IP address that Internet hosts use to
contact Internet resources. An attacker modifies a public DNS cache
to cause certain names to resolve to incorrect addresses that the
attacker specifies. The result is that client applications that
rely upon the targeted cache for domain name resolution will be
directed not to the actual address of the specified domain name but
to some other address. Attackers can use this to herd clients to
sites that install malware on the victim's computer or to
masquerade as part of a Pharming
attack.NULLStandardCompleteDraftHigh47CAPEC-143Detect Unpublicised
Web PagesAn attacker searches a targeted web site for web pages
that have not been publicized. Generally this involves mapping the
published web site by spidering through all the published links and
then attempt to access well-known debugging or logging pages, or
otherwise predictable pages within the site tree. For example, if
an attacker might be able to notice a pattern in the naming of
documents and extrapolate this pattern to discover additional
documents that have been created but are no longer externally
linked. Using this, the attacker may be able to gain access to
information that the targeted site did not intend to make
public.NULLStandardStubDraftLow48CAPEC-144Detect Unpublicised Web
ServicesAn attacker searches a targeted web site for web services
that have not been publicized. Generally this involves mapping the
published web site by spidering through all the published links and
then attempt to access well-known debugging or logging services, or
otherwise predictable services within the site tree. This attack
can be especially dangerous since unpublished but available
services may not have adequate security controls placed upon them
given that an administrator may believe they are
unreachable.NULLStandardStubDraftLow49CAPEC-145Checksum SpoofingAn
attacker spoofs a checksum message for the purpose of making a
payload appear to have a valid corresponding checksum. Checksums
are used to verify message integrity. They consist of some value
based on the value of the message they are protecting. Hash codes
are a common checksum mechanism. Both the sender and recipient are
able to compute the checksum based on the contents of the message.
If the message contents change between the sender and recipient,
the sender and recipient will compute different checksum values.
Since the sender's checksum value is transmitted with the message,
the recipient would know that a modification occurred. In checksum
spoofing an attacker modifies the message body and then modifies
the corresponding checksum so that the recipient's checksum
calculation will match the checksum (created by the attacker) in
the message. This would prevent the recipient from realizing that a
change occurred.NULLStandardStubDraftMedium50CAPEC-146XML Schema
PoisoningAn attacker corrupts or modifies the content of XML schema
information passing between client and server for the purpose of
undermining the security of the target. XML Schemas provide the
structure and content definitions for XML documents. Schema
poisoning is the ability to manipulate a schema either by replacing
or modifying it to compromise the programs that process documents
that use this schema. Possible attacks are denial of service
attacks by modifying the Schema so that it does not contain
required information for subsequent processing. For example, the
unaltered schema may require a @name attribute in all submitted
documents. If the attacker removes this attribute from the schema
then documents create using the new grammar will lack this field,
which may cause the processing application to enter an unexpected
state or record incomplete data. In addition, manipulation of the
data types described in the schema may affect the results of
calculations taken by the document reader. For example, a float
field could be changed to an int field. Finally, the attacker may
change the encoding defined in the schema for certain fields
allowing the contents to bypass filters that scan for dangerous
strings. For example, the modified schema might us a URL encoding
instead of ASCII, and a filter that catches a semicolon (;) might
fail to detect its URL encoding
(%3B).NULLStandardStubDraftHigh51CAPEC-147XML Ping of the DeathAn
attacker initiates a resource depletion attack where a large number
of small XML messages are delivered at a sufficiently rapid rate to
cause a denial of service or crash of the target. Transactions such
as repetitive SOAP transactions can deplete resources faster than a
simple flooding attack because of the additional resources used by
the SOAP protocol and the resources necessary to process SOAP
messages. The transactions used are immaterial as long as they
cause resource utilization on the target. In other words, this is a
normal flooding attack augmented by using messages that will
require extra processing on the
target.NULLStandardCompleteDraftMedium52CAPEC-148Content SpoofingAn
attacker modifies content to make it contain something other than
what the original content producer intended while keeping the
apparent source of the content unchanged. The term content spoofing
is most often used to describe modification of web pages hosted by
a target to display the attacker's content instead of the owner's
content. However, any content can be spoofed, including the content
of email messages, file transfers, or the content of other network
communication protocols. Content can be modified at the source
(e.g. modifying the source file for a web page) or in transit (e.g.
intercepting and modifying a message between the sender and
recipient). Usually, the attacker will attempt to hide the fact
that the content has been modified, but in some cases, such as with
web site defacement, this is not necessary. Content Spoofing can
lead to malware exposure, financial fraud if the content governs
financial transactions, privacy violations, and other
results.NULLStandardStubDraftMedium53CAPEC-149Explore for
predictable temporary file namesAn attacker explores a target to
identify the names and locations of predictable temporary files for
the purpose of launching further attacks against the target. This
involves analyzing naming conventions and storage locations of the
temporary files created by a target application. If an attacker can
predict the names of temporary files they can use this information
to mount other attacks, such as information gathering and symlink
attacks.NULLStandardStubDraftMedium54CAPEC-15Command DelimitersAn
attack of this type exploits a programs' vulnerabilities that
allows an attacker's commands to be concatenated onto a legitimate
command with the intent of targeting other resources such as the
file system or database. The system that uses a filter or a
blacklist input validation, as opposed to whitelist validation is
vulnerable to an attacker who predicts delimiters (or combinations
of delimiters) not present in the filter or blacklist. As with
other injection attacks, the attacker uses the command delimiter
payload as an entry point to tunnel through the application and
activate additional attacks through SQL queries, shell commands,
network scanning, and so
on.NULLStandardCompleteDraftHigh55CAPEC-150Common resource location
explorationAn attacker exploits well known locations for resources
for the purposes of undermining the security of the target. In
many, if not most, systems, files and resources are organized in
the same tree structure. This can be useful for attackers because
they often know where to look for resources or files that are
necessary for attacks. Even when the precise location of a targeted
resource may know be known, naming conventions may indicate a small
area of the target machine's file tree where the resources are
typically located. For example, configuration files are normally
stored in the /etc director on Unix systems. Attackers can take
advantage of this to commit other types of
attacks.NULLStandardStubDraftMedium56CAPEC-151Identity Spoofing
(Impersonation)An attacker crafts a message that masquerades as a
message from a principal other than the actual message sender. This
may involve having the attacker create content for the purpose of
making it appear to originate from a legitimate "spoofed" source.
Phishing and Pharming attacks often attempt to do this so that
their attempts to gather sensitive information appear to come from
a legitimate source. Alternatively, an attacker may intercept a
message from a legitimate sender and attempt to make it look like
the message comes from them without changing its content. The
latter form of this attack can be used to hijack credentials from
legitimate users. This attack need not be limited to transmitted
messages - any resource that is associated with an identity (for
example, a file with a signature) can be the target of an attack
where the attacker attempts to change the apparent source. This
attack differs from Content Spoofing attacks since, in Content
Spoofing, the attacker does not wish to change the apparent source
of the message but instead wishes to change what the source appears
to say. In an Identity Spoofing attack, the attacker is attempting
to change the apparent source of the
content.NULLStandardStubDraftMedium57CAPEC-153Input Data
ManipulationAn attacker exploits a weakness in input validation by
controlling the format, structure, and composition of data to an
input-processing interface. By supplying input of a non-standard or
unexpected form an attacker can advesely impact the security of the
target. For example, using a different character encoding might
cause dangerous text to be treated as safe text. Alternatively, the
attacker may use certain flags, such as file extensions, to make a
target application believe that provided data should be handled
using a certain interpreter when the data is not actually of the
appropriate type. This can lead to bypassing protection mechanisms,
forcing the target to use specific components for input processing,
or otherwise causing the user's data to be handled differently than
might otherwise be expected. This attack differs from Variable
Manipulation in that Variable Manipulation attempts to subvert the
target's processing through the value of the input while Input Data
Manipulation seeks to control how the input is
processed.NULLStandardStubDraftMedium58CAPEC-154Resource Location
AttacksAn attacker utilizes discovered or crafted file path
information for the purpose of locating and exploiting a security
sensitive resource. This category of attack involves the paths used
by an application to store or retrieve resources. Specifically,
attacks in this category involve manipulating the path, causing the
application to look in location unintended by the application
maintainer, or determining the paths through prediction or lookup.
This differs from File Manipulation attacks in which the contents
of the files are affected or where the files themselves are
physically moved. Instead, this attack simply concerns itself with
the paths used to find or create
resources.NULLStandardStubDraftMedium59CAPEC-155Screen Temporary
Files for Sensitive InformationAn attacker exploits the temporary,
insecure storage of information by monitoring the content of files
used to store temp data during an application's routine execution
flow. Many applications use temporary files to accelerate
processing or to provide records of state across multiple
executions of the application. Sometimes, however, these temporary
files may end up storing sensitive information. By screening an
application's temporary files, an attacker might be able to
discover such sensitive information. For example, web browsers
often cache content to accelerate subsequent lookups. If the
content contains sensitive information then the attacker could
recover this from the web
cache.NULLStandardStubDraftMedium60CAPEC-157Sniffing AttacksAn
attacker monitors information transmitted between logical or
physical nodes of a network. The attacker need not be able to
prevent reception or change content but must simply be able to
observe and read the traffic. The attacker might precipitate or
indirectly influence the content of the observed transaction, but
the attacker is never the intended recipient of the information.
Any transmission medium can theoretically be sniffed if the
attacker can listen to the contents between the sender and
recipient.NULLStandardStubDraftMedium61CAPEC-158Sniffing
Information Sent Over Public/multicast NetworksAn attacker
monitoring network traffic between nodes of a public or multicast
network. The attacker need not be able to prevent reception or
change content but must simply be able to observe and read the
traffic. The attacker might precipitate or indirectly influence the
content of the observed transaction, but the attacker is never the
intended recipient of the information. This differs from other
sniffing attacks in that it is over a public network rather via
some other communications channel, such as
radio.NULLStandardStubDraftMedium62CAPEC-159Redirect Access to
LibrariesAn attacker exploits the execution flow of a call to an
external library to point to an attacker supplied library or code
base, allowing the attacker to compromise the application or server
via the execution of unauthorized code. An application typically
makes calls to functions that are a part of libraries external to
the application. These libraries may be part of the operating
system or they may be third party libraries. If an attacker can
redirect an application's attempts to access these libraries to
other libraries that the attacker supplies, the attacker will be
able to force the targeted application to execute arbitrary code.
This is especially dangerous if the targeted application has
enhanced privileges. Access can be redirected through a number of
techniques, including the use of symbolic links, search path
modification, and relative path
manipulation.NULLStandardCompleteDraftVery
High63CAPEC-16Dictionary-based Password AttackAn attacker tries
each of the words in a dictionary as passwords to gain access to
the system via some user's account. If the password chosen by the
user was a word within the dictionary, this attack will be
successful (in the absence of other mitigations). This is a
specific instance of the password brute forcing attack
pattern.NULLDetailedCompleteDraftHigh64CAPEC-160Programming to
included script-based APIsSome APIs support scripting instructions
as arguments. Methods that take scripted instructions (or
references to scripted instructions) can be very flexible and
powerful. However, if an attacker can specify the script that
serves as input to these methods they can gain access to a great
deal of functionality. For example, HTML pages support ), etc.
These tags may not be subject to the same input validation, output
validation, and other content filtering and checking routines, so
this can create an opportunity for an attacker to tunnel through
the application's elements and launch a XSS attack through other
elements.NULLStandardCompleteDraftVery High85CAPEC-180Exploiting
Incorrectly Configured Access Control Security LevelsAn attacker
exploits a weakness in the configuration of access controls and is
able to bypass the intended protection that these measures guard
against and thereby obtain unauthorized access to the system or
network. Sensitive functionality should always be protected with
access controls. However configuring all but the most trivial
access control systems can be very complicated and there are many
opportunities for mistakes. If an attacker can learn of incorrectly
configured access security settings, they may be able to exploit
this in an attack. Most commonly, attackers would take advantage of
controls that provided too little protection for sensitive
activities in order to perform actions that should be denied to
them. In some circumstances, an attacker may be able to take
advantage of overly restrictive access control policies, initiating
denial of services (if an application locks because it unexpectedly
failed to be granted access) or causing other legitimate actions to
fail due to security. The latter class of attacks, however, is
usually less severe and easier to detect than attacks based on
inadequate security restrictions. This attack pattern differs from
CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs"
in that the latter describes attacks where sensitive functionality
lacks access controls, where, in this pattern, the access control
is present, but incorrectly
configured.NULLStandardCompleteDraftMedium86CAPEC-181Flash File
OverlayAn attacker creates a transparent overlay using flash in
order to intercept user actions for the purpose of performing a
clickjacking attack. In this technique, the Flash file provides a
transparent overlay over HTML content. Because the Flash
application is on top of the content, user actions, such as clicks,
are caught by the Flash application rather than the underlying
HTML. The action is then interpreted by the overlay to perform the
actions the attacker
wishes.NULLStandardStubDraftMedium87CAPEC-182Flash InjectionAn
attacker tricks a victim to execute malicious flash content that
executes commands or makes flash calls specified by the attacker.
One example of this attack is cross-site flashing, an attacker
controlled parameter to a reference call loads from content
specified by the
attacker.NULLStandardCompleteDraftMedium88CAPEC-183IMAP/SMTP
Command InjectionAn attacker exploits weaknessness in input
validation on IMAP/SMTP servers to execute commands on the server.
Web-mail servers often sit between the Internet and the IMAP or
SMTP mail server. User requests are received by the web-mail
servers which then query the back-end mail server for the requested
information and return this response to the user. In an IMAP/SMTP
command injection attack, mail-server commands are embedded in
parts of the request sent to the web-mail server. If the web-mail
server fails to adequately sanitize these requests, these commands
are then sent to the back-end mail server when it is queried by the
web-mail server, where the commands are then executed. This attack
can be especially dangerous since administrators may assume that
the back-end server is protected against direct Internet access and
therefore may not secure it adequately against the execution of
malicious commands.NULLStandar
![[PPT]GRAFIK TITRASI ASAM BASA · Web view8 10 12 14 16 1 1.1000000000000001 1.2 1.3 1.43 1.58 1.7000000000000006 2.75 7 Volume NaOH (mL) Grafik Titrasi asam Kuat Basa Kuat (PH Meter)](https://img.pdfslide.net/doc/110x75/5c84e28709d3f279718be36b/pptgrafik-titrasi-asam-basa-web-view8-10-12-14-16-1-11000000000000001-12.jpg)
![[XLS] · Web view309 4.78 92.25 1.44 59.35 1.1000000000000001 92.25 0.89500000000000002 92.25 1.1100000000000001 41.7 0.3 124 1.7 53 0.3 92.25 1.32 124 1.375 31.75 0.185 25.15 0.19500000000000001](https://img.pdfslide.net/doc/110x75/5af75a397f8b9a744490ad49/xls-view309-478-9225-144-5935-11000000000000001-9225-089500000000000002.jpg)
