| CAPEC | Related Weakness |
| Man in the Middle Attack |
| CWE-287 | Improper Authentication |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-294 | Authentication Bypass by Capture-replay |
| CWE-300 | Channel Accessible by Non-Endpoint |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
| CWE-724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
| Signature Spoof |
| CWE-20 | Improper Input Validation |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
| Creating a Rogue Certification Authority Certificate |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-295 | Improper Certificate Validation |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
| Exploitation of Trusted Credentials |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-346 | Origin Validation Error |
| CWE-384 | Session Fixation |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-642 | External Control of Critical State Data |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
|
| Web Services API Signature Forgery Leveraging Hash Function Extension Weakness |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-328 | Reversible One-Way Hash |
|
| Signature Spoofing by Misrepresentation |
| CWE-290 | Authentication Bypass by Spoofing |
|
| Session Credential Falsification through Prediction |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 | Improper Authorization |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-330 | Use of Insufficiently Random Values |
| CWE-331 | Insufficient Entropy |
| CWE-346 | Origin Validation Error |
| CWE-384 | Session Fixation |
| CWE-488 | Exposure of Data Element to Wrong Session |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-693 | Protection Mechanism Failure |
| CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
| Exploiting Trust in Client |
| CWE-20 | Improper Input Validation |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-287 | Improper Authentication |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-693 | Protection Mechanism Failure |
|
| Reusing Session IDs (aka Session Replay) |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 | Improper Authorization |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-294 | Authentication Bypass by Capture-replay |
| CWE-346 | Origin Validation Error |
| CWE-384 | Session Fixation |
| CWE-488 | Exposure of Data Element to Wrong Session |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
| CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
