| CAPEC | Related Weakness |
| Using Unicode Encoding to Bypass Validation Logic |
| CWE-20 | Improper Input Validation |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-176 | Improper Handling of Unicode Encoding |
| CWE-179 | Incorrect Behavior Order: Early Validation |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-183 | Permissive List of Allowed Inputs |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting |
| CWE-697 | Incorrect Comparison |
|
| Argument Injection |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-185 | Incorrect Regular Expression |
| CWE-697 | Incorrect Comparison |
| CWE-713 | OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
| Command Delimiters |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| CWE-138 | Improper Neutralization of Special Elements |
| CWE-140 | Improper Neutralization of Delimiters |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters |
| CWE-154 | Improper Neutralization of Variable Name Delimiters |
| CWE-157 | Failure to Sanitize Paired Delimiters |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-185 | Incorrect Regular Expression |
| CWE-697 | Incorrect Comparison |
| CWE-713 | OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
| AJAX Fingerprinting |
| CWE-20 | Improper Input Validation |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-348 | Use of Less Trusted Source |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting |
| CWE-712 | OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) |
|
| Double Encoding |
| CWE-20 | Improper Input Validation |
| CWE-21 | DEPRECATED: Pathname Traversal and Equivalence Errors |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-183 | Permissive List of Allowed Inputs |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting |
| CWE-697 | Incorrect Comparison |
|
| Flash Injection |
| CWE-20 | Improper Input Validation |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-697 | Incorrect Comparison |
|
| Using Leading 'Ghost' Character Sequences to Bypass Input Filters |
| CWE-20 | Improper Input Validation |
| CWE-41 | Improper Resolution of Path Equivalence |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-179 | Incorrect Behavior Order: Early Validation |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-183 | Permissive List of Allowed Inputs |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-697 | Incorrect Comparison |
| CWE-707 | Improper Neutralization |
|
| Exploiting Multiple Input Interpretation Layers |
| CWE-20 | Improper Input Validation |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CWE-171 | DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
| CWE-179 | Incorrect Behavior Order: Early Validation |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-183 | Permissive List of Allowed Inputs |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-697 | Incorrect Comparison |
| CWE-707 | Improper Neutralization |
|
| User-Controlled Filename |
| CWE-20 | Improper Input Validation |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-348 | Use of Less Trusted Source |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
| CWE-697 | Incorrect Comparison |
|
