| CAPEC | Related Weakness |
| Manipulating Opaque Client-based Data Tokens |
| CWE-233 | Improper Handling of Parameters |
| CWE-285 | Improper Authorization |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
| CWE-353 | Missing Support for Integrity Check |
| CWE-384 | Session Fixation |
| CWE-472 | External Control of Assumed-Immutable Web Parameter |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
|
| Manipulating User State |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
| CWE-353 | Missing Support for Integrity Check |
| CWE-371 | State Issues |
| CWE-372 | Incomplete Internal State Distinction |
| CWE-693 | Protection Mechanism Failure |
|
| Manipulating Writeable Configuration Files |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
| CWE-346 | Origin Validation Error |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
| CWE-353 | Missing Support for Integrity Check |
| CWE-354 | Improper Validation of Integrity Check Value |
| CWE-713 | OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
| Client-side Injection-induced Buffer Overflow |
| CWE-20 | Improper Input Validation |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-353 | Missing Support for Integrity Check |
| CWE-680 | Integer Overflow to Buffer Overflow |
| CWE-697 | Incorrect Comparison |
| CWE-713 | OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
| Subverting Environment Variable Values |
| CWE-15 | External Control of System or Configuration Setting |
| CWE-20 | Improper Input Validation |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 | Improper Authorization |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-353 | Missing Support for Integrity Check |
|
| Content Spoofing Via Application API Manipulation |
| CWE-353 | Missing Support for Integrity Check |
|
