CAPEC | Related Weakness |
Escaping a Sandbox by Calling Signed Code in Another Language |
CWE-693 | Protection Mechanism Failure |
|
Signature Spoofing by Mixing Signed and Unsigned Content |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-319 | Cleartext Transmission of Sensitive Information |
CWE-693 | Protection Mechanism Failure |
|
Sniff Application Code |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-318 | Cleartext Storage of Sensitive Information in Executable |
CWE-319 | Cleartext Transmission of Sensitive Information |
CWE-693 | Protection Mechanism Failure |
CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
Manipulating User State |
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
CWE-353 | Missing Support for Integrity Check |
CWE-371 | State Issues |
CWE-372 | Incomplete Internal State Distinction |
CWE-693 | Protection Mechanism Failure |
|
Utilizing REST's Trust in the System Resource to Obtain Sensitive Data |
CWE-287 | Improper Authentication |
CWE-300 | Channel Accessible by Non-Endpoint |
CWE-693 | Protection Mechanism Failure |
CWE-724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
Try Common or Default Usernames and Passwords |
CWE-262 | Not Using Password Aging |
CWE-263 | Password Aging with Long Expiration |
CWE-521 | Weak Password Requirements |
CWE-693 | Protection Mechanism Failure |
CWE-798 | Use of Hard-coded Credentials |
|
Escaping Virtualization |
CWE-693 | Protection Mechanism Failure |
|
Cross Site Tracing |
CWE-648 | Incorrect Use of Privileged APIs |
CWE-693 | Protection Mechanism Failure |
|
Poison Web Service Registry |
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-285 | Improper Authorization |
CWE-693 | Protection Mechanism Failure |
|
Session Credential Falsification through Prediction |
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
CWE-285 | Improper Authorization |
CWE-290 | Authentication Bypass by Spoofing |
CWE-330 | Use of Insufficiently Random Values |
CWE-331 | Insufficient Entropy |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-488 | Exposure of Data Element to Wrong Session |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-693 | Protection Mechanism Failure |
CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
Password Brute Forcing |
CWE-257 | Storing Passwords in a Recoverable Format |
CWE-262 | Not Using Password Aging |
CWE-263 | Password Aging with Long Expiration |
CWE-521 | Weak Password Requirements |
CWE-693 | Protection Mechanism Failure |
|
Rainbow Table Password Cracking |
CWE-261 | Weak Encoding for Password |
CWE-262 | Not Using Password Aging |
CWE-263 | Password Aging with Long Expiration |
CWE-521 | Weak Password Requirements |
CWE-693 | Protection Mechanism Failure |
CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
CWE-916 | Use of Password Hash With Insufficient Computational Effort |
|
Dictionary-based Password Attack |
CWE-262 | Not Using Password Aging |
CWE-263 | Password Aging with Long Expiration |
CWE-521 | Weak Password Requirements |
CWE-693 | Protection Mechanism Failure |
|
Using Malicious Files |
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
CWE-264 | Permissions, Privileges, and Access Controls |
CWE-270 | Privilege Context Switching Error |
CWE-272 | Least Privilege Violation |
CWE-275 | Permission Issues |
CWE-282 | Improper Ownership Management |
CWE-285 | Improper Authorization |
CWE-693 | Protection Mechanism Failure |
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
Encryption Brute Forcing |
CWE-326 | Inadequate Encryption Strength |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
CWE-693 | Protection Mechanism Failure |
CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
Using Unpublished APIs |
CWE-306 | Missing Authentication for Critical Function |
CWE-693 | Protection Mechanism Failure |
CWE-695 | Use of Low-Level Functionality |
|
Accessing Functionality Not Properly Constrained by ACLs |
CWE-276 | Incorrect Default Permissions |
CWE-285 | Improper Authorization |
CWE-434 | Unrestricted Upload of File with Dangerous Type |
CWE-693 | Protection Mechanism Failure |
CWE-721 | OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access |
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
Directory Indexing |
CWE-276 | Incorrect Default Permissions |
CWE-285 | Improper Authorization |
CWE-288 | Authentication Bypass Using an Alternate Path or Channel |
CWE-424 | Improper Protection of Alternate Path |
CWE-425 | Direct Request ('Forced Browsing') |
CWE-693 | Protection Mechanism Failure |
CWE-721 | OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access |
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
Exploiting Trust in Client |
CWE-20 | Improper Input Validation |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
CWE-287 | Improper Authentication |
CWE-290 | Authentication Bypass by Spoofing |
CWE-693 | Protection Mechanism Failure |
|
Forceful Browsing |
CWE-285 | Improper Authorization |
CWE-425 | Direct Request ('Forced Browsing') |
CWE-693 | Protection Mechanism Failure |
|