| CAPEC | Related Weakness |
| Manipulating Web Input to File System Calls |
| CWE-15 | External Control of System or Configuration Setting |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-23 | Relative Path Traversal |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-264 | Permissions, Privileges, and Access Controls |
| CWE-272 | Least Privilege Violation |
| CWE-285 | Improper Authorization |
| CWE-346 | Origin Validation Error |
| CWE-348 | Use of Less Trusted Source |
| CWE-715 | OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference |
|
| Pharming |
| CWE-346 | Origin Validation Error |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
| Navigation Remapping To Propagate Malicious Content |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| DNS Cache Poisoning |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-348 | Use of Less Trusted Source |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
|
| Transaction or Event Tampering via Application API Manipulation |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Exploitation of Trusted Credentials |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-346 | Origin Validation Error |
| CWE-384 | Session Fixation |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-642 | External Control of Critical State Data |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
|
| Application API Message Manipulation via Man-in-the-Middle |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Session Credential Falsification through Prediction |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 | Improper Authorization |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-330 | Use of Insufficiently Random Values |
| CWE-331 | Insufficient Entropy |
| CWE-346 | Origin Validation Error |
| CWE-384 | Session Fixation |
| CWE-488 | Exposure of Data Element to Wrong Session |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-693 | Protection Mechanism Failure |
| CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
| Manipulating Writeable Configuration Files |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
| CWE-346 | Origin Validation Error |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
| CWE-353 | Missing Support for Integrity Check |
| CWE-354 | Improper Validation of Integrity Check Value |
| CWE-713 | OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
| Application API Navigation Remapping |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| Application API Button Hijacking |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
|
| SaaS User Request Forgery |
|
| Cache Poisoning |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-348 | Use of Less Trusted Source |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
|
| Exploit Script-Based APIs |
|
| JSON Hijacking (aka JavaScript Hijacking) |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
|
| Reusing Session IDs (aka Session Replay) |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 | Improper Authorization |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-294 | Authentication Bypass by Capture-replay |
| CWE-346 | Origin Validation Error |
| CWE-384 | Session Fixation |
| CWE-488 | Exposure of Data Element to Wrong Session |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
| CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
