Skip to main content
Skip table of contents

CAPEC CWE Coverage

Overview

Common Attack Pattern Enumeration and Classification (CAPEC) provides a publicly available catalog that helps users understand how adversaries exploit weaknesses in applications.
It offers a comprehensive framework for identifying, classifying, and describing common attack patterns, enabling security teams to better anticipate and defend against potential threats.

This article organizes Common Weakness Enumerations (CWEs) relevant to CAPEC.

Each row in the table below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. Languages: Supported programming languages.

  3. CWE-ID: The relevant CWE for this standard, along with a short description.

CAPEC CWE Coverage

Compliance Standard

CWE-ID

CAPEC-37: Retrieve Embedded Sensitive Data

  • CWE-256: Plaintext Storage of a Password

CAPEC-100: Overflow Buffers

  • CWE-121: Stack-based Buffer Overflow

CAPEC-102: Session side jacking

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CAPEC-123: Buffer Manipulation

  • CWE-787: Out-of-bounds Write

CAPEC-126: Path Traversal

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC-134: Email Injection

  • CWE-20: Improper Input Validation

  • CWE-941: Incorrectly Specified Destination in a Communication Channel

CAPEC-135: Format String Injection

  • CWE-134: Use of Externally-Controlled Format String

CAPEC-136: LDAP Injection

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CAPEC-159: Redirect Access to Libraries

  • CWE-114: Process Control

CAPEC-165: File Manipulation

  • CWE-73: External Control of File Name or Path

CAPEC-194: Fake the Source of Data

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CAPEC-197: Exponential Data Expansion

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CAPEC-201: Serialized Data External Linking

  • CWE-611: Improper Restriction of XML External Entity Reference

CAPEC-215: Fuzzing and observing application log data/errors for application mapping

  • CWE-209: Information Exposure Through an Error Message

  • CWE-532: Insertion of Sensitive Information into Log File

CAPEC-242: Code Injection

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

CAPEC-252: PHP Local File Inclusion

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CAPEC-284: Improper Access Control

  • CWE-501: Trust Boundary Violation

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CAPEC-337: Insufficient Transport Layer Protection

  • CWE-319: Cleartext Transmission of Sensitive Information

CAPEC-34: HTTP Response Splitting

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CAPEC-475: Signature Spoofing by Improper Validation

  • CWE-297: Improper Validation of Certificate with Host Mismatch

CAPEC-492: Regular Expression Exponential Blowup

  • CWE-400: Uncontrolled Resource Consumption

  • CWE-1333: Inefficient Regular Expression Complexity

CAPEC-503: WebView Exposure

  • CWE-749: Exposed Dangerous Method or Function

CAPEC-540: Overread Buffers

  • CWE-125: Out-of-bounds Read

CAPEC-586: Object Injection

  • CWE-502: Deserialization of Untrusted Data

CAPEC-62: Cross Site Request Forgery

  • CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC-63: Cross-Site Scripting (XSS)

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC-66: SQL Injection

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC-83: XPath Injection

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

CAPEC-92: Forced Integer Overflow

  • CWE-190: Integer Overflow or Wraparound

CAPEC-93: Log Injection-Tampering-Forging

  • CWE-117: Improper Output Neutralization for Logs

CAPEC-94: Man in the Middle Attack

  • CWE-295: Improper Certificate Validation

  • CWE-322: Key Exchange without Entity Authentication

CAPEC-97: Cryptanalysis

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

CAPEC-462: Cross-Domain Search Timing

  • CWE-208: Observable Timing Discrepancy

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.