Skip to main content
Skip table of contents

CAPEC CWE Coverage

Overview

Common Attack Pattern Enumeration and Classification (CAPEC) provides a publicly available catalog that helps users understand how adversaries exploit weaknesses in applications.
It offers a comprehensive framework for identifying, classifying, and describing common attack patterns, enabling security teams to better anticipate and defend against potential threats.

This article organizes Common Weakness Enumerations (CWEs) relevant to CAPEC.

Each row in the table below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. Languages: Supported programming languages.

  3. CWE-ID: The relevant CWE for this standard, along with a short description.

CAPEC CWE Coverage

Compliance Standard

Languages

CWE-ID

CAPEC-100: Overflow Buffers

  • C/C++ (Beta)

  • Cobol

  • CWE-121: Stack-based Buffer Overflow

CAPEC-102: Session side jacking

  • C# Gen 2

  • JavaScript / TypeScript Gen 2

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CAPEC-123: Buffer Manipulation

  • C/C++ (Beta)

  • CWE-787: Out-of-bounds Write

CAPEC-126: Path Traversal

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# Gen 2

  • C/C++ (Beta)

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python Gen 2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC-134: Email Injection

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • VB.Net

  • Xamarin (C#)

  • CWE-20: Improper Input Validation

  • CWE-941: Incorrectly Specified Destination in a Communication Channel

CAPEC-135: Format String Injection

  • C/C++ (Beta)

  • CWE-134: Use of Externally-Controlled Format String

CAPEC-136: LDAP Injection

  • C#

  • C# Gen 2

  • C/C++ (Beta)

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CAPEC-159: Redirect Access to Libraries

  • C/C++ (Beta)

  • CWE-114: Process Control

CAPEC-165: File Manipulation

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • R

  • Ruby

  • Swift

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-73: External Control of File Name or Path

CAPEC-194: Fake the Source of Data

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • TypeScript

  • VB.Net

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CAPEC-197: Exponential Data Expansion

  • JavaScript / TypeScript Gen 2

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CAPEC-201: Serialized Data External Linking

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python Gen 2

  • R

  • VB.Net

  • CWE-611: Improper Restriction of XML External Entity Reference

CAPEC-215: Fuzzing and observing application log data/errors for application mapping

  • Android Java

  • Groovy

  • Java

  • Java Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Swift

  • iOS Objective-C

  • CWE-209: Information Exposure Through an Error Message

  • CWE-532: Insertion of Sensitive Information into Log File

CAPEC-242: Code Injection

  • C# Gen 2

  • Python Gen 2

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

CAPEC-252: PHP Local File Inclusion

  • PHP

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CAPEC-284: Improper Access Control

  • Apex

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • Kotlin

  • Kotlin Mobile

  • VB.Net

  • Xamarin (C#)

  • CWE-501: Trust Boundary Violation

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

  • C/C++ (Beta)

  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CAPEC-337: Insufficient Transport Layer Protection

  • Android Java

  • C# Gen 2

  • Java

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-319: Cleartext Transmission of Sensitive Information

CAPEC-34: HTTP Response Splitting

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Groovy

  • Java

  • JavaScript / Node.js

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Ruby

  • TypeScript

  • VB.Net

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CAPEC-475: Signature Spoofing by Improper Validation

  • Java Gen 2

  • CWE-297: Improper Validation of Certificate with Host Mismatch

CAPEC-492: Regular Expression Exponential Blowup

  • ABAP

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python Gen 2

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-400: Uncontrolled Resource Consumption

  • CWE-1333: Inefficient Regular Expression Complexity

CAPEC-503: WebView Exposure

  • Android Java

  • Kotlin Mobile

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-749: Exposed Dangerous Method or Function

CAPEC-540: Overread Buffers

  • C/C++ (Beta)

  • CWE-125: Out-of-bounds Read

CAPEC-586: Object Injection

  • C#

  • C# Gen 2

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • VB.Net

  • Xamarin (C#)

  • CWE-502: Deserialization of Untrusted Data

CAPEC-63: Cross-Site Scripting (XSS)

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • TypeScript

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC-66: SQL Injection

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • C# Gen 2

  • C/C++ (Beta)

  • Cobol

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python Gen 2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC-83: XPath Injection

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • VB.Net

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

CAPEC-92: Forced Integer Overflow

  • C/C++ (Beta)

  • CWE-190: Integer Overflow or Wraparound

CAPEC-93: Log Injection-Tampering-Forging

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • Python Gen 2

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CWE-117: Improper Output Neutralization for Logs

CAPEC-94: Man in the Middle Attack

  • Android Java

  • Go

  • Kotlin Mobile

  • Xamarin (C#)

  • CWE-295: Improper Certificate Validation

  • CWE-322: Key Exchange without Entity Authentication

CAPEC-97: Cryptanalysis

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • C#

  • C# Gen 2

  • Go

  • Groovy

  • Java

  • Java Gen 2

  • JavaScript / Node.js

  • JavaScript / TypeScript Gen 2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python Gen 2

  • Ruby

  • Swift

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.