CAPEC | Related Weakness |
Manipulating Web Input to File System Calls |
CWE-15 | External Control of System or Configuration Setting |
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
CWE-23 | Relative Path Traversal |
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
CWE-73 | External Control of File Name or Path |
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
CWE-264 | Permissions, Privileges, and Access Controls |
CWE-272 | Least Privilege Violation |
CWE-285 | Improper Authorization |
CWE-346 | Origin Validation Error |
CWE-348 | Use of Less Trusted Source |
CWE-715 | OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference |
|
Pharming |
CWE-346 | Origin Validation Error |
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Navigation Remapping To Propagate Malicious Content |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-471 | Modification of Assumed-Immutable Data (MAID) |
CWE-602 | Client-Side Enforcement of Server-Side Security |
|
DNS Cache Poisoning |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-348 | Use of Less Trusted Source |
CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
|
Transaction or Event Tampering via Application API Manipulation |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-471 | Modification of Assumed-Immutable Data (MAID) |
CWE-602 | Client-Side Enforcement of Server-Side Security |
|
Exploitation of Trusted Credentials |
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
CWE-290 | Authentication Bypass by Spoofing |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-602 | Client-Side Enforcement of Server-Side Security |
CWE-642 | External Control of Critical State Data |
CWE-664 | Improper Control of a Resource Through its Lifetime |
|
Application API Message Manipulation via Man-in-the-Middle |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-471 | Modification of Assumed-Immutable Data (MAID) |
CWE-602 | Client-Side Enforcement of Server-Side Security |
|
Session Credential Falsification through Prediction |
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
CWE-285 | Improper Authorization |
CWE-290 | Authentication Bypass by Spoofing |
CWE-330 | Use of Insufficiently Random Values |
CWE-331 | Insufficient Entropy |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-488 | Exposure of Data Element to Wrong Session |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-693 | Protection Mechanism Failure |
CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
Manipulating Writeable Configuration Files |
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
CWE-346 | Origin Validation Error |
CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
CWE-353 | Missing Support for Integrity Check |
CWE-354 | Improper Validation of Integrity Check Value |
CWE-713 | OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Application API Navigation Remapping |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-471 | Modification of Assumed-Immutable Data (MAID) |
CWE-602 | Client-Side Enforcement of Server-Side Security |
|
Application API Button Hijacking |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-471 | Modification of Assumed-Immutable Data (MAID) |
CWE-602 | Client-Side Enforcement of Server-Side Security |
|
SaaS User Request Forgery |
|
Cache Poisoning |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-348 | Use of Less Trusted Source |
CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
|
Exploit Script-Based APIs |
|
JSON Hijacking (aka JavaScript Hijacking) |
CWE-345 | Insufficient Verification of Data Authenticity |
CWE-346 | Origin Validation Error |
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
Reusing Session IDs (aka Session Replay) |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
CWE-285 | Improper Authorization |
CWE-290 | Authentication Bypass by Spoofing |
CWE-294 | Authentication Bypass by Capture-replay |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-488 | Exposure of Data Element to Wrong Session |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-664 | Improper Control of a Resource Through its Lifetime |
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|