| CAPEC | Related Weakness |
| Harvesting Information via API Event Monitoring |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-319 | Cleartext Transmission of Sensitive Information |
| CWE-419 | Unprotected Primary Channel |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Navigation Remapping To Propagate Malicious Content |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Create Malicious Client |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Transaction or Event Tampering via Application API Manipulation |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Exploitation of Trusted Credentials |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-346 | Origin Validation Error |
| CWE-384 | Session Fixation |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-642 | External Control of Critical State Data |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
|
| Application API Message Manipulation via Man-in-the-Middle |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Application API Navigation Remapping |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Removing Important Client Functionality |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Accessing/Intercepting/Modifying HTTP Cookies |
| CWE-20 | Improper Input Validation |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
| CWE-384 | Session Fixation |
| CWE-472 | External Control of Assumed-Immutable Web Parameter |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-642 | External Control of Critical State Data |
| CWE-724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
| Application API Button Hijacking |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Manipulating Hidden Fields |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
