'ID Name Abstractio Status Descriptio Alternate Likelihood Typical SevRelated AttExecution

106 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it referes to an existing chain relationsh
112 Brute Forc Meta Draft In this attack, some asset (infor High ::STEP:1:PH
113 API ManipuMeta Stable An adversary manipula Medium Medium
114 AuthenticaMeta Draft An attacker obtains unauthorizedMedium
115 AuthenticaMeta Draft An attacker gains access to appliMedium
116 ExcavationMeta Stable An adversary actively High Medium
117 InterceptioMeta Stable An adversary monitorsLow Medium
122 Privilege A Meta Draft An adversary is able to exploit f Medium
123 Buffer ManMeta Draft An adversary manipulat High Very High
124 Shared DatMeta Draft An adversary exploits a data struMedium
125 Flooding Meta Stable An adversary consumes High Medium
129 Pointer MaMeta Draft This attack pattern involves an a Medium
Excessive AMeta Stable An adversary causes th Medium Medium
131 Resource LMeta Stable An adversary utilizes Medium Medium
137 Parameter Meta Stable An adversary manipula Medium Medium
148 Content SpMeta Stable An adversary modifiesMedium Medium
151 Identity SpMeta Stable Identity Spoofing refeMedium Medium
153 Input DataMeta Draft An attacker exploits a weakness M i edium
154 Resource LMeta Stable An adversary deceivesMedium Medium
161 Infrastruc Meta Draft An attacker exploits characteristHigh
165 File ManipuMeta Draft An attacker modifies file contentMedium
169 FootprintinMeta Stable An adversary engagesHighi Very Low ::STEP:1:P
171 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
173 Action SpoMeta Stable An adversary is able tHigh Very High
175 Code Inclu Meta Stable An adversary exploits Medium Very High
176 Configurat Meta Draft An attacker manipulates files or Medium
184 Software InMeta Draft An attacker initiates a series of Low
188 Reverse EnMeta Stable An adversary discovers Low Low
192 Protocol AnMeta Stable An adversary engagesLow i Low
205 DEPRECATED: Detailed Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-37 : Retrieve E
21 ExploitatioMeta Draft Attacks on session ID High High ::STEP:1:PH
211 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it was deemed not to be a legitimate att
212 Functional Meta Stable An adversary leverages Medium Medium
213 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
216 Communicat Meta Stable An adversary manipulates a setting or parameter on communicatio
22 Exploiting TMeta Draft An attack of this type High High
224 FingerprintMeta Stable An adversary compares High Very Low
227 Sustained Meta Draft An adversary attempts to deny legitimate users access to a resour
233 Privilege E Meta Draft An adversary exploits a weakness enabling them to elevate their privilege and perf
235 DEPRECATED Detailed Deprecate This attack pattern has been deprecated. Please refer to CAPEC:30 - Hijacking a Priv
238 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it did not appear to be a valid attack pa
239 DEPRECATED: Detailed Deprecate This attack pattern has been deprecated as it did not contain any content and did n
240 Resource InMeta Stable An adversary exploits High High
241 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
242 Code InjectMeta Stable An adversary exploits High High
246 DEPRECATED Detailed Deprecate This pattern has been deprecated as it is covered by a chaining relationship betwee
248 Command M I eta Stable An adversary looking Medium High
249 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it is covered by CAPEC-40 : Manipulatin
25 Forced DeaMeta Stable The adversary triggersLow High ::STEP:1:PH
254 DEPRECATED Detailed Deprecate This pattern has been deprecated as it was determined to be an unnecessary layer
257 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it was deemed not to be a legitimate att
258 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
259 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
26 LeveragingMeta Stable The adversary targetsHigh High ::STEP:1:PH
260 DEPRECATED:Detailed Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
264 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
265 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
266 DEPRECATED Meta Deprecate This attack pattern has been deprecated.
269 DEPRECATED Meta Deprecate This pattern has been deprecated as it was determined to be a duplicate of anothe
272 Protocol MMeta Draft An adversary subverts a communicaMedium
28 Fuzzing Meta Draft In this attack pattern High Medium ::STEP:1:PHASE:Explor
280 DEPRECATEDetailed Deprecate This attack pattern has been deprecated as its contents have been included in CAPE
288 DEPRECATED Meta Deprecate This attack pattern has been deprLow
289 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it was determined to be an unnecessar
311 DEPRECATED Standard Deprecate This pattern has been deprecated as it was determined to be an unnecessary layer
314 DEPRECATED Standard Deprecate This pattern has been deprecated as it was determined to be an unnecessary layer
315 DEPRECATED Standard Deprecate This pattern has been deprecated as it was determined to be an unnecessary layer
316 DEPRECATED Standard Deprecate This pattern has been deprecated as it was determined to be an unnecessary layer
390 Bypassing PMeta Draft Facilities often used layered models for physical security such as traditional locks, E
396 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it a generalization of CAPEC-397: Clonin
404 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it was deemed not to be a legitimate att
405 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it was deemed not to be a legitimate att
408 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it was deemed not to be a legitimate att
409 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it was deemed not to be a legitimate att
410 InformationMeta Draft An adversary engages an individuLow
411 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it is a duplicate of the existing attack pa
416 Manipulat Meta Stable An adversary exploits Medium Medium
419 DEPRECATED Meta Deprecate This attack pattern has been deprecated as it was deemed not to be a legitimate pa
430 DEPRECATED Detailed Deprecate This attack pattern has been deprecated.
431 DEPRECATED Detailed Deprecate This attack pattern has been deprecated.
432 DEPRECATED Detailed Deprecate This attack pattern has been deprecated.
438 Modificati Meta Draft An attacker modifies a technology, product, or component during a stage in its man
439 ManipulatiMeta Draft An attacker undermines the integrity of a product, software, or technology at some
440 Hardware IMeta Stable An adversary exploitsLow High
441 Malicious LMeta Stable An adversary installs Medium High
449 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware
450 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware
451 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware
453 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Maliciou
454 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Maliciou
455 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-457 : Maliciou
484 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it a generalization of CAPEC-230: XML N
507 Physical ThMeta Draft An adversary gains physical access to a system or device through
548 ContaminatMeta Draft An adversary contaminates organizational information systems (including devices a
549 Local Exec Meta Stable An adversary installs Medium High
554 FunctionaliMeta Draft An adversary attacks aMedium High
557 DEPRECATED Detailed Deprecate This CAPEC has been deprecated because of is not directly related to a weakness, s
56 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it is a duplicate of CAPEC-207 : Removin
566 DEPRECATEDetailed Deprecate This CAPEC has been deprecated because of is not directly related to a weakness, s
567 DEPRECATED: Standard Deprecate This CAPEC has been deprecated because of is not directly related to a weakness, s
570 DEPRECATED Detailed Deprecate This CAPEC has been deprecated because of is not directly related to a weakness, s
586 Object InjeMeta Draft An adversary attemptsMedium High
594 Traffic InjeMeta Stable An adversary injects traffic into the target's network connection.
602 DEPRECATEMeta Deprecate This attack pattern has been deprecated.
607 ObstructioMeta Draft An attacker obstructs the interactions between system components. By interruptin
624 Fault Injec Meta Stable The adversa::TERM:SidLow High
74 ManipulatiMeta Stable The adversary modifiesMedium High ::STEP:1:PH
82 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it a generalization of CAPEC-230: XML N
91 DEPRECATED Detailed Deprecate This attack pattern has been deprecated as it is contained in the existing attack patt
99 DEPRECATED Standard Deprecate This attack pattern has been deprecated as it a generalization of CAPEC-230: XML N
 PrerequisitSkills RequResources Indicators ConsequenMitigationsExample InRelated WeTaxonomy Notes
to an existing chain relationship between CAPEC-93 : Log Injection-Tampering-Forging and CAPEC-63 : Cross-Site Scripting. Please refer to
::The attac::SKILL:The::None: No::Repeated::SCOPE:Co::Select a provably la ::330::326::521::
::The target system m::The requirements vary depending upon the nature of::227::
::An authentication m::A client application, command-line access to a binar ::287::
::An authentication m::A client application, such as a web browser, or a scri ::287::
::An adversary requir ::A tool, such as a MI ::SCOPE:Co::Minimize error/respo::200:: TYPE:Other:NOTE:Large quan
::The target must tran::The adversary must ::SCOPE:Co::Leverage encryption::319::
::The target must have::None: No specialized resources are required to execute ::732::269::
::The adversary must identify a programmatic ::SCOPE:Av::To help protect an a::119::
::The target applicati ::None: No specialized resources are required to execute this type of attack.::
::Any target that servi::A script or program ::SCOPE:Ava ::Ensure that protocol::404::770::
::The target applicati ::None: No specialized resources are required to execut ::682::822::823::
::The target must acce::None: No specialized::SCOPE:Ava ::Limit the ::In an Int ::770::404::
::The target must have::None: No specialized::SCOPE:Av::If possible, leverag ::404::
::The target applicati ::None: No specialized::SCOPE:In ::Implement an audit :l:88::
::The target must prov::If the content is to ::SCOPE:IntegrityTECHNICAL IMPA ::345::
::The identity associ ::None: No specialized::SCOPE:Co::Employ robust authen ::287::
::The target must acce::None: No specialized resources are required to execut ::20::
::None. All application::None: No specialized::SCOPE:Au::Monitor network activity to detect any anomalous or unauthorized com
::The targeted client ::The attacker must be able to corrupt the infrastructure used by the client. For some variants of this atta
::The target must use ::None:
t No specialized resources are required to execute this type of attack. In some cases, tools can be
::An applic ::SKILL:The::The adversary requir::SCOPE:Co::Keep patc::In this e ::200::
licate of the existing attack pattern CAPEC-77 : Manipulating User-Controlled Variables. Please refer to this other CAPEC going forward.
::The adversary must convince the victim in::SCOPE:Con ::Avoid interacting with suspicious sites or clicking suspicious links. An or
::The target applicati ::The adversary may need the capability to ::One examp ::829::
::The target applicati ::The attacker must have the access necessary to affect::15::
::SKILL:Man::Software Integrity Attacks are usually a late stage f ::494::
::Access to::SKILL:Und::The technical resources necessa::Employ co::When adversaries are reverse engineering software, method
::Access to::SKILL:Kno::Depending on the typ ::SCOPE:ConfidentialityTECHNICA::326:: TYPE:Other:NOTE:There are
licate of CAPEC-37 : Retrieve Embedded Sensitive Data. Please refer to this other pattern going forward.
::Server so ::SKILL:To ::Ability to deploy s ::SCOPE:Co::Design: u ::Thin clie ::290::302::346::539::6::384::664::602::642::
emed not to be a legitimate attack pattern.
::The adver::SKILL:General computer knowle::SCOPE:Con ::Perform comprehensive threat modeling, a process of identifying, eval
licate of the existing attack pattern CAPEC-126 : Path Traversal. Please refer to this other CAPEC going forward.
::The target applicat ::A tool that is capab ::SCOPE:In ::Encrypt all sensitive communications using properly-configured crypto
::Server so ::SKILL:Th ::Ability to communic::SCOPE:Co::Design: E ::Web appli::290::287::20::200::693::
::A means b::SKILL:Som::If on a network, th ::SCOPE:Co::While some informati ::200::
::This pattern of atta ::To successfully execute this pa ::Potential mitigations include requiring a unique login for each resource
levate their privilege and perform an action that they are not supposed to be authorize ::269::
r to CAPEC:30 - Hijacking a Privileged Thread of Execution.
appear to be a valid attack pattern.
contain any content and did not serve any useful purpose. Please refer to CAPEC-207: removing Important Client Functionality going forw
::The target application allows the user to ::SCOPE:Co::Ensure all input cont::99::
licate of the existing attack pattern CAPEC-242 : Code Injection. Please refer to this other CAPEC going forward.
::The target software does not validate use ::SCOPE:Con ::Utilize strict type, ::94::
a chaining relationship between CAPEC-174: Flash Parameter Injection and CAPEC-591: Stored XSS. Please refer to these CAPECs going for
 ::The target application must accept input f::SCOPE:Co::All user-controllab ::77::
ed by CAPEC-40 : Manipulating Writeable Terminal Devices. Please refer to this CAPEC going forward.
::The targe::SKILL:This type of attack may ::SCOPE:Av::Use known ::An exampl::412::567::662::833::667::
ed to be an unnecessary layer of abstraction. Please refer to the pattern CAPEC-228 : DTD Injection going forward.
emed not to be a legitimate attack pattern.
licate of the existing attack pattern CAPEC-65 : Sniff Application Code. Please refer to this other CAPEC going forward.
licate of the existing attack pattern CAPEC-65 : Sniff Application Code. Please refer to this other CAPEC going forward.
::A resourc::SKILL:Being able to run the ra ::SCOPE:Co::Use safe ::The Net D::368::363::366::370::362::662::689::667::665::
licate of the existing attack pattern CAPEC-65 : Sniff Application Code. Please refer to this other CAPEC going forward.
licate of the existing attack pattern CAPEC-13 : Subverting Environment Variable Values. Please refer to this other CAPEC going forward.
licate of the existing attack pattern CAPEC-77 : Manipulating User-Controlled Variables. Please refer to this other CAPEC going forward.

ed to be a duplicate of another pattern. Please refer to the pattern CAPEC-203 : Manipulate Application Registry Values going forward.
::The protocol or imp ::In some variants of this attack the adversary must be able to intercept communications using the proto
::STEP:1:PHASE:Explor::SKILL:The::Fuzzing to::A lot of ::SCOPE:In ::Test to e ::A fuzz te ::74::388::20::
nts have been included in CAPEC-279 : SOAP Manipulation. Please refer to this other pattern going forward.

termined to be an unnecessary layer of abstraction. Please refer to the meta level pattern CAPEC-169 : going forward, or to any of its child
ed to be an unnecessary layer of abstraction. Please refer to the standard level patterns CAPEC-312 : Active OS Fingerprinting or CAPEC-31
ed to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward
ed to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward
ed to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward
rity such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from
alization of CAPEC-397: Cloning Magnetic Strip Cards, CAPEC-398: Magnetic Strip Card Brute Force Attacks, CAPEC-399: Cloning RFID Card
emed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.
emed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.
emed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.
emed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.

licate of the existing attack pattern CAPEC-407 : Social Information Gathering via Pretexting. Please refer to this other CAPEC going forwar
::The adversary must have the means and ::SCOPE:Con ::An organization should provide regular, robust cybersecurity training to
emed not to be a legitimate pattern.

onent during a stage in its manufacture for the purpose of carrying out an attack against some entitTAXONOMY NAME:ATTACK:ENTRY ID:1
ftware, or technology at some stage of the distribution channel. The core th ::A malicious OEM prov TAXONOMY NAME:ATTACK:ENTRY ID:1
::Influence over the deployed system at a vi::SCOPE:IntegrityTECHNICAL IMPACT:ExecuTAXONOMY NAME:ATTACK:ENTRY ID:1
::Access to the component currently deploye ::SCOPE:AuthorizationTECHNICA::284::
licate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward.
licate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward.
licate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward.
licate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.
licate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.
licate of CAPEC-457 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.
alization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.
::This type of attack requires the existence of a physic ::To mitigate this type of attack, physical security techniques such as loc
 n systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not b
::Knowledge of the tar::The means by which::SCOPE:Co::Employ
t robust cybers
::829::
::424::
rectly related to a weakness, social engineering, supply chains, or a physical-based attack.
licate of CAPEC-207 : Removing Important Client Functionality. Please refer to this other pattern going forward.
rectly related to a weakness, social engineering, supply chains, or a physical-based attack.
rectly related to a weakness, social engineering, supply chains, or a physical-based attack.
rectly related to a weakness, social engineering, supply chains, or a physical-based attack.
::The target application must unserialize dat::SCOPE:Av::Implementation: Vali::502::
::The target applicat ::A tool, such as a MI ::SCOPE:AvailabilityTECHNICAL IM ::940::

m components. By interrupting or disabling these interac ::SCOPE:AvailabilityTECHNICAL IMPACT:Resource Consumption::

::Physical ::SKILL:Adv::The relevant sensors::SCOPE:Co::Implement robust physical security count TYPE:Other:NOTE:Considerab
::User stat ::SKILL:The::The adversary needs::SCOPE:Co::Do not re::During th::372::371::315::353::693::
alization of CAPEC-230: XML Nested Payloads, CAPEC-231: XML Oversized Payloads, and CAPEC-147: XML Ping of Death. Please refer to th
ined in the existing attack pattern CAPEC-18 : XSS Targeting Non-Script Elements. Please refer to this other CAPEC going forward.
alization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.
-Site Scripting. Please refer to these CAPECs going forward.

TYPE:Other:NOTE:Large quantities of data is often moved from the target system to some other adversary controlled system. Data found

nomalous or unauthorized communication exchanges.::

. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client inte
k. In some cases, tools can be used to better control the response of the targeted application to the modified file.::

other CAPEC going forward.

clicking suspicious links. An organization should provide regular, robust cybersecurity training to its employees.::

engineering software, methodologies fall into two broad categories, 'white box' and 'black box.' White box techniques involve methods w
TYPE:Other:NOTE:There are several challenges inherent to protocol analysis depending upon the nature of the protocol being analyzed. T

::6::384::664::602::642::

, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure app

ng properly-configured cryptography.::Design the communication system such that it associates proper authentication/authorization with

unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, o

Client Functionality going forward.

fer to these CAPECs going forward.

::362::662::689::667::665::

other CAPEC going forward.

other CAPEC going forward.

stry Values going forward.

mmunications using the protocol. This means they need to be able to receive the communications from one participant and prevent the o

forward, or to any of its children patterns.

OS Fingerprinting or CAPEC-313 : Passive OS Fingerprinting going forward, or to any of the detailed patterns that are children of them.
S Fingerprinting going forward, or to any of the detailed patterns that children of CAPEC-312.
S Fingerprinting going forward, or to any of the detailed patterns that are children of CAPEC-312.
S Fingerprinting going forward, or to any of the detailed patterns that are children of CAPEC-312.
ecurity mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered ap
CAPEC-399: Cloning RFID Cards or Chips and CAPEC-400: RFID Chip Deactivation or Destruction. Please refer to these CAPECs going forward

this other CAPEC going forward.

obust cybersecurity training to its employees to prevent successful social engineering attacks.::

MY NAME:ATTACK:ENTRY ID:1195:ENTRY NAME:Supply Chain Compromise::

MY NAME:ATTACK:ENTRY ID:1195:ENTRY NAME:Supply Chain Compromise::
MY NAME:ATTACK:ENTRY ID:1200:ENTRY NAME:Hardware Additions::

ng forward.
ng forward.
ng forward.
e CAPECs going forward.
ecurity techniques such as locks doors, alarms, and monitoring of targets should be implemented.::
vity for which they have not been authorized. The information is exposed to individuals who are not authorized access to such information

nsumption::
TYPE:Other:NOTE:Considerable effort on the part of the adversary is often required in order to detect and analyze fault/side channel dat

ng of Death. Please refer to these CAPECs going forward.

CAPEC going forward.
e CAPECs going forward.
controlled system. Data found on a target system might require extensive resources to be fully analyzed. Using these resources on the tar

rvices the targeted client intends to use.::

echniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directl
the protocol being analyzed. There may also be other types of factors which complicate the process such as encryption or ad hoc obfusca

reveal potentially obscure application functionality that can be manipulated for malicious purposes.::When implementing security feature

entication/authorization with each channel/message.::

ngagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have t
participant and prevent the other participant from receiving these communications.::

that are children of them.

mputer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopp
to these CAPECs going forward.
zed access to such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated.

analyze fault/side channel data.::

ng these resources on the target system might enable a defender to detect the adversary. Additionally, proper analysis tools required mig

compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon ex
encryption or ad hoc obfuscation of the protocol. In general there are two kinds of networking protocols, each associated with its own ch

implementing security features, consider how they can be misused and compromised.::

s, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such
d, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and
is investigated and mitigated.
per analysis tools required might not be available on the target system.::::TYPE:Other:NOTE:This attack differs from Data Interception and

that can be observed upon execution. 'Black Box' methods involve interacting with the software indirectly, in the absence of the ability to
ach associated with its own challenges and analysis approaches or methodologies. Some protocols are human-readable, which is to say the

grammatically to counter such defenses.::

h evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points.
s from Data Interception and other data collection attacks in that the attacker actively queries the target rather than simply watching for t

n the absence of the ability to measure, instrument, or analyze an executable object directly. Such analysis typically involves interacting wi
n-readable, which is to say they are text-based protocols. Examples of these types of protocols include HTTP, SMTP, and SOAP. Additional
secure entry points.
her than simply watching for the target to reveal information.::

ypically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, suc
P, SMTP, and SOAP. Additionally, application-layer protocols can be embedded or encapsulated within human-readable protocols in the da
er execution environment, such as input-output vectors, libraries, or APIs.::
n-readable protocols in the data portion of the packet. Typically, human-readable protocol implementations are susceptible to automatic
are susceptible to automatic decoding by the appropriate tools, such as Wireshark/ethereal, tcpdump, or similar protocol sniffers or anal
milar protocol sniffers or analyzers. The presence of well-known protocol specifications in addition to easily identified protocol delimiters,
identified protocol delimiters, such as Carriage Return or Line Feed characters (CRLF) result in text-based protocols susceptibility to direct
otocols susceptibility to direct scrutiny through manual processes. Protocol analysis against protocol implementations such as HTTP is ofte
entations such as HTTP is often performed to identify idiosyncratic implementations of a protocol by a server or client. In the case of appli
r or client. In the case of application-layer protocols which are embedded within text-based protocols, analysis techniques typically benefi
sis techniques typically benefit from the well-known nature of the encapsulating protocols and can focus on discovering the semantic char
discovering the semantic characteristics of the proprietary protocol or API, since the syntax and protocol delimiters of the underlying prot
limiters of the underlying protocols can be readily identified. When performing protocol analysis of machine-readable (non-text-based) pr
-readable (non-text-based) protocols difficulties emerge as the protocol itself was designed to be read by computing process. Such protoc
mputing process. Such protocols are typically composed entirely in binary with no apparent syntax, grammar, or structural boundaries. Ex
r, or structural boundaries. Examples of these types of protocols are IP, UDP, and TCP. Binary protocols with published specifications can b
published specifications can be automatically decoded by protocol analyzers, but in the case of proprietary, closed-specification, binary p
closed-specification, binary protocols there are no immediate indicators of packet syntax such as packet boundaries, delimiters, or structu
undaries, delimiters, or structure, or the presence or absence of encryption or obfuscation. In these cases there is no one technology that
ere is no one technology that can extract or reveal the structure of the packet on the wire, so it is necessary to use trial and error approac
to use trial and error approaches while observing application behavior based on systematic mutations introduced at the packet-level. Too
duced at the packet-level. Tools such as Protocol Debug (PDB) or other packet injection suites are often employed. In cases where the bina
loyed. In cases where the binary executable is available, protocol analysis can be augmented with static and dynamic analysis techniques.
dynamic analysis techniques.::