Schema Documentation - Schema Version 2.7.1Document version: 2.7.1 Date: 2015-11-09 This is a draft document. It is intended to support maintenance of CAPEC, and to
educate and solicit feedback from a specific technical audience. This document does
not reflect any official position of the MITRE Corporation or its sponsors.
Copyright © 2015, The
MITRE Corporation. All rights reserved. Permission is granted to redistribute this
document if this paragraph is not removed. This document is subject to change
without notice. Author: CAPEC Team
URL: http://capec.mitre.org/documents/schema/index.html Table of Selected Content Table of Selected Content
Activation ZoneSchema path: Activation Zone This element describes the area within the target software that is capable of executing or otherwise activating the payload of an injection-based attack of this type. The activation zone is where the intent of the attacker is put into action. The activation zone may be a command interpreter, some active machine code in a buffer, a client browser, a system API call, etc.
Alternate TermSchema path: Alternate Terms > Alternate Term This element contains alternate terms by which this attack pattern may be known and a description to explain the context in which the term may be relevant. This is not required for all entries and should only be included where appropriate.
Alternate Term DescriptionSchema path: Alternate Terms > Alternate Term > Alternate Term Description This element provides context to each Alternate_Term by which this attack pattern may be known.
Alternate TermsSchema path: Alternate Terms This element contains one or more Alternate_Term elements, each of which contains other names used to describe this attack pattern.
Architectural ParadigmSchema path: Technical Context > Architectural Paradigms > Architectural Paradigm Architectural paradigm characterizes the target using an enumerated list of supported paradigms in which this attack pattern is possible and relevant. USAGE: This element is represented as an enumerated list to facilitate normalization and classification of attack patterns
Architectural ParadigmsSchema path: Technical Context > Architectural Paradigms This element represents a container of one or more architectural paradigms in which this attack pattern is possible and relevant. Architectural paradigm characterizes the target using an enumerated list of paradigms utilized by the target.
Attack Motivation-Consequence (Attack Motivation-Consequences)Schema path: Attack Motivation-Consequences > Attack Motivation-Consequence What is the attacker trying to achieve by using this attack? This is not the end business/mission goal of the attack within the target context but rather the specific technical result desired that could be leveraged to achieve the end business/mission objective. In order to assist in normalization and classification, this field involves a selection from an enumerated list of defined motivations/consequences which is currently incomplete and will grow as new relevant possibilities are identified. This information is useful for aligning attack patterns to threat models and for determining which attack patterns are relevant for a given context.
Attack Motivation-Consequence (Attack Motivation-Consequences)Schema path: Attack Motivation-Consequences > Attack Motivation-Consequence Attack motivation consequence represents the desired technical results that could be achieved/leveraged by this attack pattern, represented as an enumerated list of defined adversary motivations/consequences.
Attack Motivation-ConsequencesSchema path: Attack Motivation-Consequences What is the attacker trying to achieve by using this attack? This is not the end business/mission goal of the attack within the target context but rather the specific technical result desired that could be leveraged to achieve the end business/mission objective. This information is useful for aligning attack patterns to threat models and for determining which attack patterns are relevant for a given context.
Attack Motivation-ConsequencesSchema path: Attack Motivation-Consequences This element represents a container of one ore more attack motivation consequences. Attack motivation consequence represents the desired technical results that could be achieved/leveraged by this attack pattern, represented as an enumerated list of defined adversary motivations/consequences. USAGE: This element is used to identify specific technical results that could be leveraged to achieve the adversary's business or mission objective. This information is useful for aligning attack patterns to threat models and for determining which attack patterns are relevant for a given context.
Attack PatternSchema path: Attack Pattern This element is an individual attack pattern.
Attack Pattern CatalogSchema path: Attack Pattern Catalog This is the enumerated catalog of common attack patterns.
Attack PhaseSchema path: Attack Phase Segment the attack steps into the various phases of attack. One of three phases "Explore", "Experiment", or "Exploit." Each phase should appear at most once, and attack steps should be grouped by what kind of activities the attacker is carrying out. The exploration and experimentation phases may or may not occur during a particular attack, because the attacker may already know exactly how to exploit a system.
Attack Prerequisite (Attack Prerequisites)Schema path: Attack Prerequisites > Attack Prerequisite This field describes an individual attack prerequisite.
Attack Prerequisite (Attack Prerequisites)Schema path: Attack Prerequisites > Attack Prerequisite This field describes an individual attack prerequisite.
Attack PrerequisitesSchema path: Attack Prerequisites This field describes the conditions that must exist or the functionality and characteristics that the target software must have or behavior it must exhibit for an attack of this type to succeed.
Attack PrerequisitesSchema path: Attack Prerequisites An attack prerequisite is a condition that must exist in order for an attack of this type to succeed.
Attack StepSchema path: Attack Phase > Attack Step Brief description of an individual action step in carrying out the attack
Attack Step DescriptionSchema path: Attack Step Description This field contains a brief description of the attack step.
Attack Step Technique DescriptionSchema path: Attack Step Technique Description This field contains a brief description of the attack step technique.
Attack Step TitleSchema path: Attack Step Title This field contains a short descriptive title for the attack step. It should be kept as short as possible but also clearly convey the nature of the attack step being described.
Attacker Skill or Knowledge Required (Attacker Skills or Knowledge Required)Schema path: Attacker Skills or Knowledge Required > Attacker Skill or Knowledge Required This field describes the level of skill or specific knowledge required by an attacker to execute this type of attack.
Attacker Skill or Knowledge Required (Attacker Skills or Knowledge Required)Schema path: Attacker Skills or Knowledge Required > Attacker Skill or Knowledge Required Attacker skill or knowledge required describes the level of skills or specific knowledge needed by an attacker to execute this type of attack.
Attacker Skills or Knowledge RequiredSchema path: Attacker Skills or Knowledge Required This field describes the level of skills or specific knowledge required by an attacker to execute this type of attack.
Attacker Skills or Knowledge RequiredSchema path: Attacker Skills or Knowledge Required This element represents a container of one or more attacker skill or knowledge required. Attacker skill or knowledge required describes the level of skills or specific knowledge needed by an attacker to execute this type of attack.
AudienceSchema path: View Attributes > View Audience > Audience The Audience element provides a reference to the target audience or group for this view.
Availability ImpactSchema path: CIA Impact > Availability Impact This element describes the typical impact of this pattern on the availability characteristics of the targeted software and related data.
Background Detail (Background Details)Schema path: Background Details > Background Detail This element contains background information regarding the entry or any technologies that are related to it, where the background information is not related to the nature of the category itself. It should be filled out where appropriate.
Background Detail (Background Details)Schema path: Background Details > Background Detail This element contains background information regarding the entry or any technologies that are related to it, where the background information is not related to the nature of the attack pattern itself. It should be filled out where appropriate.
Background DetailsSchema path: Background Details This structure contains one or more Background_Detail elements, each of which holds information regarding the entry or any technologies that are related to it, where the background information is not related to the nature of the entry itself. It should be filled out where appropriate.
Background DetailsSchema path: Background Details This structure contains one or more Background_Detail elements, each of which holds information regarding the entry or any technologies that are related to it, where the background information is not related to the nature of the entry itself. It should be filled out where appropriate.
BlockSchema path: Block Block is a Structured_Text element consisting of one of Text_Title, Text, Code_Example_Language, or Code followed by another Block element. Structured_Text elements help define whitespace and text segments.
Block NatureSchema path: Block > Block Nature This attribute identifies the nature of the content containedwithin the Block.
CIA ImpactSchema path: CIA Impact This element characterizes the typical relative impact of this pattern on the confidentiality, integrity, and availability of the targeted software.
CWE ID (Related Weakness)Schema path: Related Weaknesses > Related Weakness > CWE ID The CWE_ID is a field that exists for all weaknesses enumerated in the Common Weakness Enumeration (CWE). It is a unique value that allows each weakness to be unambiguously identified. The CWE_ID field for the attack pattern contains the value of the CWE_ID for the specific related weakness.
CWE ID (Related Weakness)Schema path: Related Weaknesses > Related Weakness > CWE ID The element contains the Common Weakness Enumeration (CWE) ID of the exploited software weakness.
CodeSchema path: Code Presentation Element: This element is used to define a line of code.
Code Example LanguageSchema path: Code Example Language Presentation Element: This element is used to identify the programming language being used in the following block of Code
CommentSchema path: Comment Presentation Element: This element is used to define a comment in code.
Common Consequence IDSchema path: Common Consequence ID The Common_Consequence_ID stores the value for the related Common_Consequence entry identifier as a string. Only one Common_Consequence_ID element can exist for each Common_Consequence element (ex: CC-1). However, Common_Consequences across CAPEC with the same ID should only vary in small details.
Compound Element AbstractionSchema path: Compound Element Abstraction The Abstraction defines the abstraction level for this attack pattern. The abstraction levels for Compound_Elements and Attack Patterns are the same. For example, if the Compound_Element is a chain, and all elements of the chain are Meta level, then the Compound_Element Abstraction attribute is Meta. This is required for all Compound_Elements.
Compound Element StructureSchema path: Compound Element Structure The Structure attribute defines the structural nature of this compound element - that is, composed of other attack patterns concurrently, as in a composite, or consecutively, as in a chain.
Confidentiality ImpactSchema path: CIA Impact > Confidentiality Impact This element describes the typical impact of this pattern on the confidentiality characteristics of the targeted software and related data.
Consequence NoteSchema path: Consequence Note This subelement provides additional commentary about this consequence.
Consequence ScopeSchema path: Consequence Scope This subelement identifies an individual consequence that may result from this attack pattern.
Consequence Technical ImpactSchema path: Consequence Technical Impact This subelement describes the technical impacts that can result from successful execution of this attack pattern.
Content HistorySchema path: Content History This element is used to keep track of the author of the attack pattern entry and anyone who has made modifications to the content. This provides a means of contacting the authors and modifiers for clarifying ambiguities, merging overlapping contributions, etc. This should be filled out for all entries.
ContributionSchema path: Content History > Contributions > Contribution This element houses the subelements which identify the contributor and contributor's comments related to this entry. This element has a single attribute, Contribution_Mode, which indicates whether the contribution was part of feedback given to the CAPEC team or actual content that was donated.
Contribution CommentSchema path: Content History > Contributions > Contribution > Contribution Comment This element provides the author with a place to store any comments regarding the content of this attack patterns entry, such as assumptions made, reasons for omitting elements, contact information, pending questions, etc.
Contribution DateSchema path: Content History > Contributions > Contribution > Contribution Date This element should provide the date on which this content was authored in YYYY-MM-DD format.
Contribution ModeSchema path: Content History > Contributions > Contribution > Contribution Mode This attribute indicates whether the contribution was part of feedback given to the CAPEC team or actual content that was donated.
Contribution OrganizationSchema path: Content History > Contributions > Contribution > Contribution Organization This element should identify the author's organization.
ContributionsSchema path: Content History > Contributions This structure contains one or more Contribution elements.
ContributorSchema path: Content History > Contributions > Contribution > Contributor This element should contain the name of the author for this entry.
DescriptionSchema path: Description This field provides a description of this Category. Its primary subelement is Description_Summary which is intended to serve as a minimalistic description which provides the information necessary to understand the primary focus of this entry. Additionally, it has the subelement Extended_Description which is optional and is used to provide further information pertaining to this attack pattern.
DescriptionSchema path: Description This field provides a description of this Structure, whether it is an Attack Pattern, Category or Compound Element. Its primary subelement is Description_Summary which is intended to serve as a minimalistic description which provides the information necessary to understand the primary focus of this entry. Additionally, it has the subelement Extended_Description which is optional and is used to provide further information pertaining to this attack pattern.
DescriptionSchema path: Description This element represents a detailed description of an attack pattern. Content may include a summary and a list of steps taken by the attacker. USAGE: This element can be used to capture a range of descriptive information. Comprehensive descriptions might include attack trees, exploit graphs, etc., to more clearly elaborate this type of attack.
Description (Indicator-Warning of Attack)Schema path: Indicators-Warnings of Attack > Indicator-Warning of Attack > Description This element provides an explanatory description of the indicator warning of attack.
Description (Obfuscation Technique)Schema path: Obfuscation Techniques > Obfuscation Technique > Description This element provides an explanatory description of the obfuscation technique.
Description (Payload Activation Impact)Schema path: Payload Activation Impact > Description This element provides an explanatory description of the payload activation impact.
Description (Probing Technique)Schema path: Probing Techniques > Probing Technique > Description This element provides an explanatory description of the probing technique.
Description Summary (Description)Schema path: Description > Description Summary This description should be short and should limit itself to describing the key points that define this entry. Further explanation can be included in the extended description element. This is required for all entries.
Description Summary (Description)Schema path: Description > Description Summary This description should be short and should limit itself to describing the key points that define this entry. Further explanation can be included in the extended description element. This is required for all entries.
EnvironmentsSchema path: Environments References the defined environments where this attack step technique is applicable.
Environments (Indicator)Schema path: Indicator > Environments References the defined environments where this indicator of susceptibility is applicable.
Example-InstanceSchema path: Examples-Instances > Example-Instance This element represents an exploit description and may also provide an external reference and/or a range of related vulnerabilities.
Example-Instance DescriptionSchema path: Examples-Instances > Example-Instance > Example-Instance Description This element describes in detail a specific example or exploit instance of this attack pattern. USAGE: This element is used to define the context of an attack, targeted weaknesses or vulnerabilities, the sequence of attack steps, and the resulting impact of attack success or failure.
Example-Instance Related VulnerabilitiesSchema path: Examples-Instances > Example-Instance > Example-Instance Related Vulnerabilities This element represents a container of one or more instance related vulnerabilities. An instance related vulnerability identifies vulnerabilities targeted by this exploit instance of the attack.
Example-Instance Related VulnerabilitySchema path: Examples-Instances > Example-Instance > Example-Instance Related Vulnerabilities > Example-Instance Related Vulnerability This element identifies specific vulnerabilities targeted by this exploit instance of the attack. USAGE: This element is used to reference industry-standard identifiers such as Common Vulnerabilities and Exposures (CVE) numbers and/or US-CERT numbers.
Examples-InstancesSchema path: Examples-Instances This element represents a container of one or more example instances. An example instance details an explanatory example or demonstrative exploit instance of this attack, USAGE: This element is used to to help the reader understand the nature, context and variability of the attack in more practical and concrete terms.
ExplanationSchema path: Typical Likelihood of Exploit > Explanation This element provides qualifications or assumptions regarding the estimated likelihood.
Extended Description (Description)Schema path: Description > Extended Description This element provides a place for details important to the description of this entry to be included that are not necessary to convey the fundamental concept behind the entry. This is not required for all entries and should only be included where appropriate.
Extended Description (Description)Schema path: Description > Extended Description This element provides a place for details important to the description of this entry to be included that are not necessary to convey the fundamental concept behind the entry. This is not required for all entries and should only be included where appropriate.
FrameworkSchema path: Technical Context > Frameworks > Framework Framework characterizes the target using an enumerated list of supported frameworks in which this attack pattern is possible and relevant. USAGE: This element is represented as an enumerated list to facilitate normalization and classification of attack patterns
FrameworksSchema path: Technical Context > Frameworks This element represents a container of one or more frameworks in which this attack pattern is possible and relevant. Frameworks characterizes the target using an enumerated list of frameworks utilized by the target.
IDSchema path: ID This attribute provides a unique identifier for the entry. It will be static for the lifetime of the entry. In the event that this entry becomes deprecated, the ID will not be reused and a pointer will be left in this entry to the replacement. This is required for all Categories.
IDSchema path: ID This attribute provides a unique identifier for the entry. It will be static for the lifetime of the entry. In the event that this entry becomes deprecated, the ID will not be reused and a pointer will be left in this entry to the replacement. This is required for all Compound_Elements.
ID (Indicator)Schema path: Indicator > ID This field contains a unique integer identifier for the indicator.
ID (Outcome)Schema path: Outcome > ID This field contains a unique integer identifier for the outcome.
ID (Security Control)Schema path: Security Control > ID This field contains a unique integer identifier for the security control.
ID (View)Schema path: View > ID The ID attribute provides a unique identifier for the entry. It will be static for the lifetime of the entry. In the event that this entry becomes deprecated, the ID will not be reused and a pointer will be left in this entry to the replacement. This is required for all Views.
ImageSchema path: Images > Image Presentation Element: This element is used to define an image.
Image LocationSchema path: Images > Image > Image Location This element provides the location of the image file.
Image TitleSchema path: Images > Image > Image Title This element provides a title for the image.
ImagesSchema path: Images Presentation Element: This element is used to define an image.
IndicatorSchema path: Indicator These are indicators that the application may or may not be susceptible to the given attack step (not necessarily the pattern as a whole).
Indicator-Warning of AttackSchema path: Indicators-Warnings of Attack > Indicator-Warning of Attack Indicator warning of attack describes activities, events, conditions or behaviors that may indicate that an attack of this type is imminent, in progress or has occurred.
Indicator DescriptionSchema path: Indicator > Indicator Description This field contains a brief description of the indicator.
Indicators-Warnings of AttackSchema path: Indicators-Warnings of Attack This element represents a container of one or more indicator warning of attack. Indicator warning of attack describes activities, events, conditions or behaviors that may indicate that an attack of this type is imminent, in progress or has occurred.
Injection VectorSchema path: Injection Vector This element details the mechanism and format of an input-driven attack of this type. Injection vectors take into account the grammar of an attack, the syntax accepted by the system, the position of various fields, and the ranges of data that are acceptable.
Integrity ImpactSchema path: CIA Impact > Integrity Impact This element describes the typical impact of this pattern on the integrity characteristics of the targeted software and related data.
KeywordSchema path: Keywords > Keyword Keyword correspond to text strings used to tag and search CAPEC catalog data.
KeywordsSchema path: Keywords This element represents a container of one or more keywords. Keyword correspond to text strings used to tag and search CAPEC catalog data.
LanguageSchema path: Technical Context > Languages > Language Language characterizes the target using an enumerated list of implementation languages in which this attack pattern is possible and relevant. USAGE: This element is represented as an enumerated list to facilitate normalization and classification of attack patterns.
LanguagesSchema path: Technical Context > Languages This element represents a container of one or more languages in which this attack pattern is possible and relevant. Languages characterizes the target using an enumerated list of languages utilized by the target.
LikelihoodSchema path: Typical Likelihood of Exploit > Likelihood This element reflect the likelihood of attack success on a scale of {Very Low, Low, Medium, High, Very High}, in consideration of the attack prerequisites, targeted weakness, attack surface, skills and resources required, as well as effectiveness of likely implemented blocking solutions.
Local Reference IDSchema path: Local Reference ID The Local_Reference_ID is an optional value for the related Local Reference entry identifier as a string. Only one Local_Reference_ID element can exist for each Reference element (ex: R.78.1). Text citing this reference should use the format [R.78.1].
Maintenance NoteSchema path: Maintenance Notes > Maintenance Note This element describes a significant maintenance task within this entry that still need to be addressed, such as clarifying the concepts involved or improving relationships. It should be filled out in any entry that is still undergoing significant review by the CAPEC team.
Maintenance NotesSchema path: Maintenance Notes This element contains one or more Maintenance_Note elements which each contain significant maintenance tasks within this entry that still need to be addressed, such as clarifying the concepts involved or improving relationships. It should be filled out in any entry that is still undergoing significant review by the CAPEC team.
Method of Attack (Methods of Attack)Schema path: Methods of Attack > Method of Attack This field describes the mechanism of attack used by this pattern. In order to assist in normalization and classification, this field involves a selection from an enumerated list of defined vectors which is currently incomplete and will grow as new relevant vectors are identified. This field can help define the applicable attack surface required for this attack.
Method of Attack (Methods of Attack)Schema path: Methods of Attack > Method of Attack Method of attack is enumerated list of defined vectors that identify the underlying mechanism(s) used in the attack. USAGE: This element is represented as an enumerated list to facilitate normalization and classification of attack patterns, and to help define the applicable attack surface required for this attack.
Methods of AttackSchema path: Methods of Attack This field describes the mechanism of attack used by this pattern. This field can help define the applicable attack surface required for this attack.
Methods of AttackSchema path: Methods of Attack This element represents a container of one or more methods of attack. Method of attack is enumerated list of defined vectors that identify the underlying mechanism(s) used in the attack.
ModificationSchema path: Content History > Modifications > Modification This element houses the subelements which identify the modifier and modifier's comments related to this entry. A new Modification element should exist for each modification of the entry content. This element has a single attribute, Modification_Source, which indicates whether this modification was made by a CAPEC team member or an external party.
Modification CommentSchema path: Content History > Modifications > Modification > Modification Comment This element provides the modifier with a place to store any comments regarding the content of this attack pattern entry, such as assumptions made, reasons for omitting elements, contact information, pending questions, etc.
Modification DateSchema path: Content History > Modifications > Modification > Modification Date This element should contain the date of the modifications.
Modification ImportanceSchema path: Content History > Modifications > Modification > Modification Importance This attribute identifies how significant the modification is to the attack pattern with regard to the meaning and interpretation of the pattern. If a modification has a value of Critical, then the meaning of the entry or how it might be interpreted has changed and requires attention from anyone previously dependent on the attack pattern.
Modification SourceSchema path: Content History > Modifications > Modification > Modification Source This attribute indicates whether this modification was created by a CAPEC team member or provided by an external party.
ModificationsSchema path: Content History > Modifications This structure contains one or more Modification elements.
ModifierSchema path: Content History > Modifications > Modification > Modifier This element should contain the name of the person modifying this entry.
Modifier OrganizationSchema path: Content History > Modifications > Modification > Modifier Organization This element should contain the modifier's organization.
NameSchema path: Name The Name is a descriptive name used to give the reader an idea of what the commonality is amongst the children of this category. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. Subsequent words in a hyphenated chain are also not capitalized. This is required for all Categories.
NameSchema path: Name The Name is a descriptive name used to give the reader an idea of the meaning behind the compound attack pattern structure. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. Subsequent words in a hyphenated chain are also not capitalized. This is required for all Compound_Elements.
Name (Attack Phase)Schema path: Attack Phase > Name "Explore", "Experiment", or "Exploit."
Name (View)Schema path: View > Name The Name is a descriptive attribute used to give the reader an idea of what perspective this view represents. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. Subsequent words in a hyphenated chain are also not capitalized. This is required for all Views.
Name Change DateSchema path: Content History > Previous Entry Names > Previous Entry Name > Name Change Date This lists the date on which this name was changed to something else. Typically, this date will be closely aligned with new releases of CAPEC.
Non-Recommended Design PatternSchema path: Relevant Design Patterns > Non-Recommended Design Patterns > Non-Recommended Design Pattern A non-recommended design can decrease a sofware's resistence or resilience to this type of attack, leaving the system more susceptible.
Non-Recommended Design PatternsSchema path: Relevant Design Patterns > Non-Recommended Design Patterns This element represents a container of one or more non-recommended design patterns. A non-recommended design can decrease a sofware's resistence or resilience to this type of attack, leaving the system more susceptible.
NoteSchema path: Other Notes > Note This element contains any additional notes or comments that cannot be captured using other elements. New elements might be defined in the future to contain this information. It should be filled out where needed.
Obfuscation Technique (Obfuscation Techniques)Schema path: Obfuscation Techniques > Obfuscation Technique An obfuscation technique can be used to disguise the fact that an attack of this type is imminent, in progress or has occurred.
Obfuscation TechniquesSchema path: Obfuscation Techniques This element represents a container of one or more obfuscation techniques. An obfuscation technique can be used to disguise the fact that an attack of this type is imminent, in progress or has occurred.
Observables (Indicator-Warning of Attack)Schema path: Indicators-Warnings of Attack > Indicator-Warning of Attack > Observables This element specifies detailed cyber observable patterns for potential detection of the indicator warning of attack.
Observables (Obfuscation Technique)Schema path: Obfuscation Techniques > Obfuscation Technique > Observables This element specifies detailed cyber observable patterns for potential detection of the obfuscation technique.
Observables (Payload Activation Impact)Schema path: Payload Activation Impact > Observables This element specifies detailed cyber observable patterns for potential detection of the payload activation impact.
Observables (Probing Technique)Schema path: Probing Techniques > Probing Technique > Observables This element specifies detailed cyber observable patterns for potential detection of the probing technique activity.
OrdinalSchema path: Relationship Views > Relationship View ID > Ordinal The ordinal attribute is used to determine if this relationship is the primary ChildOf relationship for this entry for a given Relationship_View_ID element.. This attribute can only have the value "Primary" and should only be included for the primary parent/child relationship.
Other NotesSchema path: Other Notes This element contains one or more Note elements, each of which provide any additional notes or comments that cannot be captured using other elements. New elements might be defined in the future to contain this information. It should be filled out where needed.
OutcomeSchema path: Outcome This field captures possible outcomes for this attack step.
PayloadSchema path: Payload This element describes the code, configuration or other data to be executed or otherwise activated as part of an injection-based attack of this type.
Payload Activation ImpactSchema path: Payload Activation Impact This element describes the impact that the activation of the attack payload for an injection-based attack of this type would typically have on the confidentiality, integrity or availability of the target software.
PlatformSchema path: Technical Context > Platforms > Platform Platform characterizes the target using an enumerated list of supported platforms in which this attack pattern is possible and relevant. USAGE: This element is represented as an enumerated list to facilitate normalization and classification of attack patterns
PlatformsSchema path: Technical Context > Platforms This element represents a container of one or more platforms in which this attack pattern is possible and relevant. Platforms characterizes the target using an enumerated list of platforms utilized by the target.
Previous Entry NameSchema path: Content History > Previous Entry Names > Previous Entry Name This element identifies a name that was previously used for this entry.
Previous Entry NamesSchema path: Content History > Previous Entry Names This structure contains one or more Previous_Entry_Name elements, each of which describes a previous name that was used for this entry. This should be filled out whenever a substantive name change occurs.
Probing TechniqueSchema path: Probing Techniques > Probing Technique A probing technique describes a method used to probe and reconnoiter a potential target to determine vulnerability and/or to prepare for this type of attack.
Probing TechniquesSchema path: Probing Techniques This element represents a container of one or more probing techniques. A probing technique describes a method used to probe and reconnoiter a potential target to determine vulnerability and/or to prepare for this type of attack.
PurposeSchema path: Purposes > Purpose Purpose refers to the intended purpose behind the attack pattern relative to an enumerated list of attack objectives. USAGE: This element is represented as an enumerated list to facilitate normalization and classification of attack patterns
PurposesSchema path: Purposes This element represents a container of one or more purposes. Purpose refers to the intended purpose behind the attack pattern relative to an enumerated list of attack objectives. USAGE: This element is used to capture pattern composibility and assist with normalization and classification of attack patterns within the CAPEC catalog.
Recommended Design PatternSchema path: Relevant Design Patterns > Recommended Design Patterns > Recommended Design Pattern A design pattern that is likely to increase the software’s resistance or resiliency to this type of attack.
Recommended Design PatternsSchema path: Relevant Design Patterns > Recommended Design Patterns This element represents a container of one or more recommended design patterns. A recommended design pattern increases the software's resistance or resilience to this type of attack.
Reference (Reference List Type)Schema path: Reference List Type > Reference Each Reference subelement should provide a single source from which more information and deeper insight can be obtained, such as a research paper or an excerpt from a publication. Multiple Reference subelements can exist. The sole attribute of this element is the id. The id is optional and translates to a preceding footnote below the context notes if the author of the entry wants to cite a reference. Not all subelements need to be completed, since some are designed for web references and others are designed for book references. The fields Reference_Author and Reference_Title should be filled out for all references if possible. Reference_Section and Reference_Date can be included for either book references or online references. Reference_Edition, Reference_Publication, Reference_Publisher, and Reference_PubDate are intended for book references, however they can be included where appropriate for other types of references. Reference_Link is intended for web references, however it can be included for book references as well if applicable.
Reference (References)Schema path: References > Reference Reference represents a documentary resource used to develop the definition of this attack pattern.
Reference AuthorSchema path: Reference Author This element identifies an individual author of the material being referenced. It is not required, but may be repeated sequentially in order to identify multiple authors for a single piece of material.
Reference DateSchema path: Reference Date This element identifies the date when the reference was included in the entry. This provides the reader with a time line for when the material in the reference, usually the link, was valid. The date should be of the format YYYY-MM-DD.
Reference EditionSchema path: Reference Edition This element identifies the edition of the material being referenced in the event that multiple editions of the material exist. This will usually only be useful for book references.
Reference IDSchema path: Reference ID The Reference_ID is an optional value for the related Reference entry identifier as a string. Only one Reference_ID element can exist for each Reference element (ex: REF-1). However, References across CAPEC with the same ID should only vary in small details. Text citing this reference should use the local reference ID, as this ID is only for reference library related consistency checking and maintenance.
Reference LinkSchema path: Reference Link This element should hold the URL for the material being referenced, if one exists. This should always be used for web references, and may optionally be used for book and other publication references.
Reference List TypeSchema path: Reference List Type The References_List_Type contains one or more Reference elements, each of which provide further reading and insight into the item. This should be filled out as appropriate.
Reference PubDateSchema path: Reference PubDate This field describes the date when the reference was published YYYY.
Reference PublicationSchema path: Reference Publication This element identifies the publication source of the reference material, if one exists.
Reference PublisherSchema path: Reference Publisher This element identifies the publisher of the reference material, if one exists.
Reference SectionSchema path: Reference Section This element is intended to provide a means of identifying the exact location of the material inside of the publication source, such as the relevant pages of a research paper, the appropriate chapters from a book, etc. This is useful for both book references and internet references.
Reference TitleSchema path: Reference Title This element identifies the title of the material beingreferenced. It is not required if the material does not have a title.
ReferencesSchema path: References The References element contains one or more Reference elements, each of which provide further reading and insight into this attack pattern.
ReferencesSchema path: References The References element contains one or more Reference elements, each of which provide further reading and insight into this attack pattern.
ReferencesSchema path: References This element represents a container of one or more references. Reference represents a documentary resource used to develop the definition of this attack pattern.
References (View Attributes)Schema path: View Attributes > References The References element contains one or more Reference elements, each of which provide further reading and insight into this view. This should be filled out when the view is based on sources or projects that are external to the CAPEC project.
Related Attack PatternSchema path: Related Attack Patterns > Related Attack Pattern A related attack pattern refers to an attack pattern that is dependent on or applied in conjunction with this attack pattern.
Related Attack PatternsSchema path: Related Attack Patterns This element represents a container of one or more related attack patterns. A related attack pattern refers to an attack pattern that is dependent on or applied in conjunction with this attack pattern.
Related GuidelineSchema path: Related Guidelines > Related Guideline A related guideline represents a security guideline that is relevant to identifying or mitigating this type of attack.
Related GuidelinesSchema path: Related Guidelines This element represents a container of one or more related guidelines. A related guideline represents a security guideline that is relevant to identifying or mitigating this type of attack. USAGE: It would be helpful to provide a usage reference. However links to security principle and guideline documentation on the BSI site appear to be broken. NIST SP 800-27 uses the terms principle and guideline interchangeably.
Related Security PrincipleSchema path: Related Security Principles > Related Security Principle A related security principle is a security rule or practice that impedes this attack pattern.
Related Security PrinciplesSchema path: Related Security Principles This element represents a container of one or more related security principles. A principle is defined as a rule or standard for good behavior. A related security principle is a security rule or practice that impedes this attack pattern. USAGE: Usage defined in NIST SP 800-27A, "Engineering Principles for Information Technology Security", Revision A.
Related VulnerabilitiesSchema path: Related Vulnerabilities This element represents a container of one or more related vulnerabilities. A related vulnerability refers to a specific instance vulnerability targeted for exploit by this attack pattern. USAGE: This element is used to identify specific vulnerabilities by their industry-standard Common Vulnerabilities and Exposures (CVE) numbers and/or US-CERT numbers. As vulnerabilities are much more specific and localized than weaknesses, it is uncommon that an attack pattern would target a specific vulnerability. This would most likely occur if the attack pattern were targeting vulnerabilities in the underlying platform, framework, or software library.
Related VulnerabilitySchema path: Related Vulnerabilities > Related Vulnerability This element represents a specific instance vulnerability targeted for exploit by this attack pattern.
Related Weakness (Related Weaknesses)Schema path: Related Weaknesses > Related Weakness This field describes an individual related weakness.
Related Weakness (Related Weaknesses)Schema path: Related Weaknesses > Related Weakness Related weaknesses refer to software weaknesses potentially targeted for exploit by this attack pattern.
Related WeaknessesSchema path: Related Weaknesses Which specific weaknesses does this attack target and leverage? Specific weaknesses (underlying issues that may cause vulnerabilities) reference the industry-standard Common Weakness Enumeration (CWE). This list should include not only those weaknesses that are directly targeted by the attack but also those whose presence can directly increase the likelihood of the attack succeeding or the impact if it does succeed.
Related WeaknessesSchema path: Related Weaknesses This element represents a container of one or more related weaknesses. Related weaknesses refer to software weaknesses potentially targeted for exploit by this attack pattern. USAGE: This element is used to reference industry standard Common Weakness Enumeration (CWE) data, including weaknesses that are exploited by the attack as well as weaknesses whose presence increases the likelihood or impact of the attack.
RelationshipSchema path: Relationships > Relationship Each Relationship identifies an association between this structure, whether it is an Attack Pattern, Category, or Compound_Element and another structure. The relationship also identifies the views under which the relationship is applicable.
Relationship Chain IDSchema path: Relationship Chains > Relationship Chain ID This element specifies the unique ID of an individual chain element this relationship pertains to.
Relationship ChainsSchema path: Relationship Chains This element contains a list of the individual Chains this relationship pertains to.
Relationship NatureSchema path: Relationship Nature The Relationship_Nature element defines the nature of the relationship between this element and the target element, such as ChildOf, HasMember or Requires to name a few.
Relationship NoteSchema path: Relationship Notes > Relationship Note This element contains a note regarding the relationships between CAPEC entries.
Relationship NotesSchema path: Relationship Notes This structure houses one or more Relationship_Note elements, which each contain details regarding the relationships between CAPEC entries.
Relationship Target FormSchema path: Relationship Target Form The Relationship_Target_Form element defines the form of the target of this relationship, such as Category, Attack Pattern, View or Compound_Element.
Relationship Target IDSchema path: Relationship Target ID The Relationship_Target_ID specifies the unique ID of the target element of the relationship.
Relationship View IDSchema path: Relationship Views > Relationship View ID Specifies the unique ID of the individual view element to which this relationship pertains. This ID must correspond to a View.
Relationship ViewsSchema path: Relationship Views This element contains a list of the individual Views to which this relationship pertains.
RelationshipsSchema path: Relationships The Relationships structure contains one or more Relationship elements, each of which identifies an association between this structure, whether it is a Attack Pattern, Category, or Compound_Element and another structure.
Relevant Design PatternsSchema path: Relevant Design Patterns This element represents a container of one or more relevant design patterns. Relevant design patterns include both recommended design patterns, which increase the software's resistance or resilience to this type of attack, and non-recommended design patterns, which could leave the system especially susceptible to this type of attack.
Relevant Security PatternSchema path: Relevant Security Patterns > Relevant Security Pattern A relevant security pattern provides resistance or resilience to this type of attack.
Relevant Security PatternsSchema path: Relevant Security Patterns This element represents a container of one or more relevant security patterns. A relevant security pattern provides resistance or resilience to this type of attack.
Relevant Security RequirementSchema path: Relevant Security Requirements > Relevant Security Requirement A relevant security requirement is a general security requirement that is relevant to this type of attack.
Relevant Security RequirementsSchema path: Relevant Security Requirements This element represents a container of one or more relevant security requirements. A relevant security requirement is a general security requirement that is relevant to this type of attack.
Research GapSchema path: Research Gaps > Research Gap This element identifies potential opportunities for the vulnerability research community to conduct further exploration of issues related to this attack pattern. It is intended to highlight parts of CAPEC that have not received sufficient attention from researchers. This should be filled out where appropriate for attack patterns and categories.
Research GapsSchema path: Research Gaps This structure contains one or more Research gap elements, each of which identifies potential opportunities for the attack research community to conduct further exploration of issues related to this attack pattern. It is intended to highlight parts of CAPEC that have not received sufficient attention from researchers. This should be filled out where appropriate for attack patterns and categories.
Resources RequiredSchema path: Resources Required This field describes the resources (CPU cycles, IP addresses, tools, etc.) required by an attacker to effectively execute this type of attack.
Resources RequiredSchema path: Resources Required This element describes the resources (CPU cycles, IP addresses, tools, etc.) required by an attacker to effectively execute this type of attack.
Security ControlSchema path: Security Control This field captures security controls for this attack step that describe ways in which the attack step can be detected, corrected, or prevented. These are presented from a defender’s point of view, where the defender may be a developer, tester, operations administrator, or other resource resisting the attacker.
Skill or Knowledge Level (Attacker Skill or Knowledge Required)Schema path: Attacker Skills or Knowledge Required > Attacker Skill or Knowledge Required > Skill or Knowledge Level This should be communicated on a rough scale (Low, Medium, High). For example: • Low - Basic computer familiarity • Low - Basic SQL knowledge • Medium - Moderate scripting and shell experience and ability to disassemble and decompile • High - Expert knowledge of LINUX kernel • High - Detailed knowledge of target software development practices and business context (former employee) • Etc.
Skill or Knowledge Level (Attacker Skill or Knowledge Required)Schema path: Attacker Skills or Knowledge Required > Attacker Skill or Knowledge Required > Skill or Knowledge Level This element reflects the level of knowledge or skill required to execute this type of attack on a scale of { Low, Medium, High }. USAGE: This element is used to represent the level with respect to a specified type of skill or knowledge, e.g., low - basic SQL knowledge, high - expert knowledge of LINUX kernel, etc.
Skill or Knowledge Type (Attacker Skill or Knowledge Required)Schema path: Attacker Skills or Knowledge Required > Attacker Skill or Knowledge Required > Skill or Knowledge Type This field provides contextual detail for the skill or knowledge level.
Skill or Knowledge Type (Attacker Skill or Knowledge Required)Schema path: Attacker Skills or Knowledge Required > Attacker Skill or Knowledge Required > Skill or Knowledge Type This element details the skill or knowledge required.
Solution or MitigationSchema path: Solutions and Mitigations > Solution or Mitigation A solution or mitigation describes actions or approaches to prevent or mitigate the risk of this attack by improving the resilience of the target system, reduce its attack surface or to reduce the impact of the attack if it is successful.
Solutions and MitigationsSchema path: Solutions and Mitigations This element represents a container of one or more solutions or mitigations. A solution or mitigation describes actions or approaches to prevent or mitigate the risk of this attack by improving the resilience of the target system, reduce its attack surface or to reduce the impact of the attack if it is successful.
StakeholderSchema path: View Attributes > View Audience > Audience > Stakeholder The Stakeholder element specifies what types of members of the CAPEC community might be interested in this view.
Stakeholder DescriptionSchema path: View Attributes > View Audience > Audience > Stakeholder Description The Stakeholder_Description element provides some text describing what properties of this View this particular Stakeholder might find useful.
StatusSchema path: Status The Status attribute defines the status level for this category.
StatusSchema path: Status The Status attribute defines the status level for this compound element.
StatusSchema path: Status The Status attribute defines the status level for this view.
Status (View)Schema path: View > Status The Status attribute defines the status level for this view.
SubmissionSchema path: Content History > Submissions > Submission This element houses the subelements which identify the submitter and the submitter's comments related to this entry. This element has a single attribute, Submission_Source, which provides a general idea of how the initial information for this entry was obtained, whether internal to the CAPEC team, external, donated, etc.
Submission CommentSchema path: Content History > Submissions > Submission > Submission Comment This element provides the author with a place to store any comments regarding the content of this attack pattern entry, such as assumptions made, reasons for omitting elements, contact information, pending questions, etc.
Submission DateSchema path: Content History > Submissions > Submission > Submission Date This element should provide the date on which this content was authored in YYYY-MM-DD format.
Submission SourceSchema path: Content History > Submissions > Submission > Submission Source This attribute identifies how the initial information for this entry was obtained.
SubmissionsSchema path: Content History > Submissions This structure contains one or more Submission elements.
SubmitterSchema path: Content History > Submissions > Submission > Submitter This element should contain the name of the author for this entry.
Submitter OrganizationSchema path: Content History > Submissions > Submission > Submitter Organization This element should identify the author's organization.
SummarySchema path: Description > Summary This element provides a summary description of the attack that includes the attack target and sequence of steps.
Target Attack SurfaceSchema path: Target Attack Surface This element characterizes the locations where an attacker interacts with the target system.
Technical ContextSchema path: Technical Context This element characterizes the technical context where this pattern is applicable.
TermSchema path: Alternate Terms > Alternate Term > Term This element contains the actual term for the Alternate_Term element. Each term should follow the same conventions as the entry Name attribute.
TextSchema path: Text Presentation Element: This element is used to define a paragraph of text.
Text TitleSchema path: Text Title Presentation Element: This element is used to definebold-faced title for a subsequent block of text.
Typical Likelihood of ExploitSchema path: Typical Likelihood of Exploit This element represents the typical likelihood that the attack will succeed, and provides a likelihood estimate and an explanation that qualifies the estimate. USAGE: This element is used to capture an overall typical average value for this type of attack with the understanding that it will not be completely accurate for all attacks.
Typical SeveritySchema path: Typical Severity This element reflect the typical severity of an attack on a scale of {Very Low, Low, Medium, High, Very High}. USAGE: This element is used to capture an overall typical average value for this type of attack with the understanding that it will not be completely accurate for all attacks.
ViewSchema path: View Each View element represents a perspective with which one might look at the attack patterns in CAPEC.
View AttributesSchema path: View Attributes The View_Attributes structure is a collection of common elements which might be shared by all Views.
View AudienceSchema path: View Attributes > View Audience The View_Audience element provides a reference to the targeted audiences or groups for this view.
View FilterSchema path: View Attributes > View Filter The View_Filter element holds an XSL query for identifying which elements are members of an implicit slice. This should only be present for implicit slices.
View ObjectiveSchema path: View Attributes > View Objective The View_Objective element describes the perspective from which this View is constructed.
View StructureSchema path: View Attributes > View Structure The View_Structure element describes how this view is being constructed. Valid values are: Implicit Slice = a slice based on a filter criteria; Explicit Slice = a slice based on arbitrary membership, as defined by specific relationships between entries; Graph = a bounded graphical slice based on ChildOf relationships.
Vulnerability DescriptionSchema path: Related Vulnerabilities > Related Vulnerability > Vulnerability Description This element contains a short textual description of the specific related vulnerability taken from the industry standard vulnerability listing.
Vulnerability IDSchema path: Related Vulnerabilities > Related Vulnerability > Vulnerability ID The element contains the Common Vulnerabilities and Explosures (CVE) or US-CERT number identifying the vulnerability.
Weakness Relationship Type (Related Weakness)Schema path: Related Weaknesses > Related Weakness > Weakness Relationship Type This field describes the nature of the relationship between this weakness and the attack pattern. Weaknesses that are specifically targeted by the attack are of type “Targeted”. Weaknesses which are not specifically targeted but whose presence may increase the likelihood of the attack succeeding or the impact of the attack if it does succeed are of type “Secondary”.
Weakness Relationship Type (Related Weakness)Schema path: Related Weaknesses > Related Weakness > Weakness Relationship Type This element describes the nature of the relationship between the attack pattern and the software weakness, represented as the enumerated list {Targeted, Secondary}. USAGE: This element is used to indicate whether the weakness is targeted or secondary. If the attack is designed to exploit the weakness, then that weakness is Targeted. A weaknesses whose presence may increase the likelihood of the attack succeeding or the impact of the attack if it does succeed is Secondary.
type (Indicator)Schema path: Indicator > type Each indicator has a mandatory type attribute that can be one of the values “Positive,” “Negative,” or “Inconclusive.” For example, a positive indicator of susceptibility to parameter tampering is the existence of parameters in the URL. Although it does not guarantee susceptibility, it indicates a cause for further examination. A negative indicator for the technique of privilege escalation is a lack of credentials and user identifiers in an application. Again, this is not a conclusive measure of resistance to attack, but an indicator that the attack step technique is unlikely to bear significant fruit. An inconclusive indicator of susceptibility to dynamic code injection is a page whose URL ends in .jsp, .asp, or .do but which has no visible explicit parameters. Such URLs typically indicate dynamic processing, but since no visible parameters are passed, it is inconclusive whether dynamic code could be injected into the application.
type (Outcome)Schema path: Outcome > type An outcome has a mandatory type attribute that can be one of the values “success,” “failure,” or “inconclusive.” It indicates what results of executing the attack step techniques should be considered successes, which should be considered failures, and which ones are inconclusive. Outcomes’ successes are determined relative to the attacker’s point of view. It is a success if the attack step got the attacker closer to his goal of attacking the application. It is a failure if the attacker got no closer to his goal.
type (Security Control)Schema path: Security Control > type Each security control has a mandatory type attribute that can be one of the values “Detective,” “Corrective,” or “Preventative.” Detective controls detect an attacker’s activities in the attack step, whether the activities are successful or not. Corrective controls attempt to mitigate an attacker’s success by responding to a successful outcome. They are not related to or normalized against outcomes. Preventative controls are those that make the attack step unlikely or impossible to succeed.
More information is available — Please select a different filter.
|
