CAPEC | Related Weakness |
HTTP Verb Tampering |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-654 | Reliance on a Single Factor in a Security Decision |
|
Manipulating Opaque Client-based Data Tokens |
CWE-233 | Improper Handling of Parameters |
CWE-285 | Improper Authorization |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
CWE-353 | Missing Support for Integrity Check |
CWE-384 | Session Fixation |
CWE-472 | External Control of Assumed-Immutable Web Parameter |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
|
Buffer Overflow via Environment Variables |
CWE-20 | Improper Input Validation |
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
CWE-118 | Incorrect Access of Indexable Resource ('Range Error') |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-680 | Integer Overflow to Buffer Overflow |
CWE-697 | Incorrect Comparison |
CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code |
|
Exploitation of Trusted Credentials |
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
CWE-290 | Authentication Bypass by Spoofing |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-602 | Client-Side Enforcement of Server-Side Security |
CWE-642 | External Control of Critical State Data |
CWE-664 | Improper Control of a Resource Through its Lifetime |
|
Accessing/Intercepting/Modifying HTTP Cookies |
CWE-20 | Improper Input Validation |
CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
CWE-384 | Session Fixation |
CWE-472 | External Control of Assumed-Immutable Web Parameter |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
CWE-602 | Client-Side Enforcement of Server-Side Security |
CWE-642 | External Control of Critical State Data |
CWE-724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
Buffer Overflow via Symbolic Links |
CWE-20 | Improper Input Validation |
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-118 | Incorrect Access of Indexable Resource ('Range Error') |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
CWE-285 | Improper Authorization |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-680 | Integer Overflow to Buffer Overflow |
CWE-697 | Incorrect Comparison |
|
Subverting Environment Variable Values |
CWE-15 | External Control of System or Configuration Setting |
CWE-20 | Improper Input Validation |
CWE-73 | External Control of File Name or Path |
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
CWE-285 | Improper Authorization |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-353 | Missing Support for Integrity Check |
|
Manipulating User-Controlled Variables |
CWE-15 | External Control of System or Configuration Setting |
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
CWE-285 | Improper Authorization |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-473 | PHP External Variable Modification |
|