[
  {
    "instruction": "List the required resources to perform the following capec attack pattern: TCP Null Scan (CAPEC ID: 304)",
    "context": "",
    "output": "required resources:\nThis attack can be carried out via a network mapper/scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "This attack can be carried out via a network mapper/scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.",
      "@Name": "TCP Null Scan (CAPEC ID: 304)",
      "attack_ptrn": {
        "@ID": "304",
        "@Name": "TCP Null Scan",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": "An adversary uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.",
        "Extended_Description": {
          "xhtml:p": "In addition to being fast, the major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, NULL scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, NULL scans are flagged by almost all intrusion prevention or intrusion detection systems."
        },
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "300"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Experiment",
              "Description": "An adversary sends TCP packets with no flags set and that are not associated with an existing connection to target ports."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "An adversary uses the response from the target to determine the port's state. If no response is received the port is open. If a RST packet is received then the port is closed."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The adversary requires logical access to the target network. NULL scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges."
        },
        "Resources_Required": {
          "Resource": "This attack can be carried out via a network mapper/scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Other"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": [
                "Bypass Protection Mechanism",
                "Hide Activities"
              ]
            }
          ]
        },
        "Mitigations": {
          "Mitigation": "Employ a robust network defensive posture that includes a managed IDS/IPS."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "200"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-33",
              "@Section": "Chapter 2: Scanning, pg. 56"
            },
            {
              "@External_Reference_ID": "REF-128"
            },
            {
              "@External_Reference_ID": "REF-34",
              "@Section": "Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107"
            },
            {
              "@External_Reference_ID": "REF-130"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "#text": "Many operating systems do not implement RFC 793 exactly and for this reason NULL scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing the adversary from distinguishing between open and closed ports. NULL scans are limited by the range of platforms against which they work."
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Description, Execution_Flow, Mitigations, Notes"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "List the required resources to perform the following capec attack pattern: Interception (CAPEC ID: 117)",
    "context": "",
    "output": "required resources:\nThe adversary must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "The adversary must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change.",
      "@Name": "Interception (CAPEC ID: 117)",
      "attack_ptrn": {
        "@ID": "117",
        "@Name": "Interception",
        "@Abstraction": "Meta",
        "@Status": "Stable",
        "Description": "An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.",
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "Medium",
        "Prerequisites": {
          "Prerequisite": "The target must transmit data over a medium that is accessible to the adversary."
        },
        "Resources_Required": {
          "Resource": "The adversary must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change."
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Read Data"
          }
        },
        "Mitigations": {
          "Mitigation": "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "319"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Prerequisites, Description Summary, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Description, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Provide the resources needed so the attacker can use the attack pattern: Read Sensitive Constants Within an Executable (CAPEC ID: 191)",
    "context": "",
    "output": "Here is the list of resources required to implement attack pattern Read Sensitive Constants Within an Executable (CAPEC ID: 191):\nBinary analysis programs such as 'strings' or 'grep', or hex editors.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "Binary analysis programs such as 'strings' or 'grep', or hex editors.",
      "@Name": "Read Sensitive Constants Within an Executable (CAPEC ID: 191)",
      "attack_ptrn": {
        "@ID": "191",
        "@Name": "Read Sensitive Constants Within an Executable",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": "An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis."
        },
        "Extended_Description": {
          "xhtml:p": [
            "One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.",
            "Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants."
          ]
        },
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "167",
            "Exclude_Related": {
              "@Exclude_ID": "515"
            }
          }
        },
        "Prerequisites": {
          "Prerequisite": "Access to a binary or executable such that it can be analyzed by various utilities."
        },
        "Resources_Required": {
          "Resource": "Binary analysis programs such as 'strings' or 'grep', or hex editors."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "798"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1552.001",
            "Entry_Name": "Unsecured Credentials:Credentials in files"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-51",
              "@Section": "Decompiler"
            },
            {
              "@External_Reference_ID": "REF-52",
              "@Section": "Debugger"
            },
            {
              "@External_Reference_ID": "REF-53",
              "@Section": "Disassembler"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "xhtml:p": [
              "More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed.",
              "Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as \"jar\" are used to extract the compiled class files. Next, a java decompiler such as \"DJ\" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs."
            ]
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Description Summary, Other_Notes, References, Related_Attack_Patterns, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Prerequisites, Description Summary, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated @Name, Description, Related_Attack_Patterns, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2020-07-30",
            "#text": "Read Sensitive Strings Within an Executable"
          }
        }
      }
    }
  },
  {
    "instruction": "Given the attack pattern: XSS Through HTTP Query Strings (CAPEC ID: 32), tell me required resources from an attacker",
    "context": "",
    "output": "Sure. Here are the required resources the attacker should have:\nAbility to send HTTP post to scripting host and collect output",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "Ability to send HTTP post to scripting host and collect output",
      "@Name": "XSS Through HTTP Query Strings (CAPEC ID: 32)",
      "attack_ptrn": {
        "@ID": "32",
        "@Name": "XSS Through HTTP Query Strings",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "591"
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "588"
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "592"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey the application for public links] Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find.",
              "Technique": [
                "Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.",
                "Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.",
                "Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Probe public links for XSS vulnerability] The adversary uses the public links gathered in the \"Explore\" phase as a target list and requests variations on the URLs they spidered before. They send parameters that include variations of payloads. They record all the responses from the server that include unmodified versions of their script.",
              "Technique": [
                "Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier.",
                "Use a proxy tool to record results of manual input of XSS probes in known URLs."
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Craft malicious XSS URL] Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.",
              "Technique": [
                "Change a URL parameter to include a malicious script tag.",
                "Send information gathered from the malicious script to a remote endpoint."
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Get victim to click URL] In order for the attack to be successful, the victim needs to access the malicious URL.",
              "Technique": [
                "Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.",
                "Put the malicious URL on a public forum, where many victims might accidentally click the link."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation."
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "To place malicious payload on server via HTTP"
            },
            {
              "@Level": "High",
              "#text": "Exploiting any information gathered by HTTP Query on script host"
            }
          ]
        },
        "Resources_Required": {
          "Resource": "Ability to send HTTP post to scripting host and collect output"
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Design: Use browser technologies that do not allow client side scripting.",
            "Design: Utilize strict type, character, and encoding enforcement",
            "Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.",
            "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.",
            "Implementation: Perform input validation for all remote content, including remote and user-generated content",
            "Implementation: Perform output validation for all remote content.",
            "Implementation: Disable scripting languages such as JavaScript in browser",
            "Implementation: Session tokens for specific host",
            "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.",
            "Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode"
          ]
        },
        "Example_Instances": {
          "Example": [
            "http://user:host@example.com:8080/oradb<script>alert('Hi')</script>",
            {
              "xhtml:p": [
                "Web applications that accept name value pairs in a HTTP Query string are inherently at risk to any value (or name for that matter) that an adversary would like to enter in the query string. This can be done manually via web browser or trivially scripted to post the query string to multiple sites. In the latter case, in the instance of many sites using similar infrastructure with predictable http queries being accepted and operated on (such as blogging software, Google applications, and so on), a single malicious payload can be scripted to target a wide variety of sites.",
                "Web 2.0 type sites like Technorati and del.icio.us rely on user generated content like tags to build http links that are displayed to other users. del.icio.us allows users to identify sites, tag them with metadata and provide URL, descriptions and more data. This data is then echoed back to any other web browser that is interested in the link. If the data is not validated by the del.icio.us site properly then an arbitrary code can be added into the standard http string sent to del.icio.us by the adversary, for example formatted as normal content with a URL and description and tagged as Java, and available to be clicked on (and executed by) any user browsing for Java content that clicks on this trojaned content."
              ]
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "80"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-1"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Attack_Phases"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Attack_Phases"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Attack_Phases"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Attack_Phases, Description Summary, Related_Attack_Patterns, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Phases"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Phases"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Example_Instances, Execution_Flow"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2017-05-01",
            "#text": "Embedding Scripts in HTTP Query Strings"
          }
        }
      }
    }
  },
  {
    "instruction": "Provide the resources needed so the attacker can use the attack pattern: XSS Using Doubled Characters (CAPEC ID: 245)",
    "context": "",
    "output": "Here is the list of resources required to implement attack pattern XSS Using Doubled Characters (CAPEC ID: 245):\nThe adversary must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "The adversary must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.",
      "@Name": "XSS Using Doubled Characters (CAPEC ID: 245)",
      "attack_ptrn": {
        "@ID": "245",
        "@Name": "XSS Using Doubled Characters",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the adversary can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "591"
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "592"
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "588"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey the application for user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.",
              "Technique": [
                "Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.",
                "Use a proxy tool to record all links visited during a manual traversal of the web application.",
                "Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Probe identified potential entry points for XSS using double characters] The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads modified to use double characters and doubled special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.",
              "Technique": [
                "Use a list of XSS probe strings using double characters to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.",
                "Use a proxy tool to record results of manual input of XSS probes in known URLs.",
                "Use a list of doubled HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out."
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Craft malicious XSS URL] Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.",
              "Technique": [
                "Execute a script using an expression embedded in an HTML attribute, which avoids needing to inject a script tag.",
                "Send information gathered from the malicious script to a remote endpoint."
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Get victim to click URL] In order for the attack to be successful, the victim needs to access the malicious URL.",
              "Technique": [
                "Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.",
                "Put the malicious URL on a public forum, where many victims might accidentally click the link."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters."
        },
        "Resources_Required": {
          "Resource": "The adversary must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed."
        },
        "Mitigations": {
          "Mitigation": [
            "Design: Use libraries and templates that minimize unfiltered input.",
            "Implementation: Normalize, filter and sanitize all user supplied fields.",
            "Implementation: The victim should configure the browser to minimize active content from untrusted sources."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "85"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-99"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Related_Attack_Patterns, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Execution_Flow, Resources_Required"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2017-05-01",
            "#text": "Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript"
          }
        }
      }
    }
  },
  {
    "instruction": "List the required resources to perform the following capec attack pattern: Path Traversal (CAPEC ID: 126)",
    "context": "",
    "output": "required resources:\nThe ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application.",
      "@Name": "Path Traversal (CAPEC ID: 126)",
      "attack_ptrn": {
        "@ID": "126",
        "@Name": "Path Traversal",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files.",
        "Alternate_Terms": {
          "Alternate_Term": {
            "Term": "Directory Traversal"
          }
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "153"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "664"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Fingerprinting of the operating system] In order to perform a valid path traversal, the attacker needs to know what the underlying OS is so that the proper file seperator is used.",
              "Technique": [
                "Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.",
                "TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.",
                "Induce errors to find informative error messages"
              ]
            },
            {
              "Step": "2",
              "Phase": "Explore",
              "Description": "[Survey the Application to Identify User-controllable Inputs] The attacker surveys the target application to identify all user-controllable file inputs"
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Vary inputs, looking for malicious results] Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application"
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Manipulate files accessible by the application] The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)"
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The attacker must be able to control the path that is requested of the target.",
            "The target must fail to adequately sanitize incoming paths"
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "Simple command line attacks or to inject the malicious payload in a web page."
            },
            {
              "@Level": "Medium",
              "#text": "Customizing attacks to bypass non trivial filters in the application."
            }
          ]
        },
        "Resources_Required": {
          "Resource": "The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Integrity",
                "Confidentiality",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries."
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data",
              "Note": "The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication."
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data",
              "Note": "The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system."
            },
            {
              "Scope": "Availability",
              "Impact": "Unreliable Execution",
              "Note": "The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software."
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Design: Configure the access control correctly.",
            "Design: Enforce principle of least privilege.",
            "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.",
            "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.",
            "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.",
            "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.",
            "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.",
            "Implementation: Perform input validation for all remote content, including remote and user-generated content.",
            "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.",
            "Implementation: Use indirect references rather than actual file names.",
            "Implementation: Use possible permissions on file access when developing and deploying web applications.",
            "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request",
              "From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system."
            ],
            "xhtml:div": {
              "@style": "margin-left:1em;",
              "@class": "informative",
              "#text": "http://example/../../../../../etc/passwd"
            }
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "22"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "WASC",
              "Entry_ID": "33",
              "Entry_Name": "Path Traversal"
            },
            {
              "@Taxonomy_Name": "OWASP Attacks",
              "Entry_Name": "Path Traversal"
            }
          ]
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-1"
            },
            {
              "@External_Reference_ID": "REF-9",
              "@Section": "Testing for Path Traversal (OWASP-AZ-001)"
            },
            {
              "@External_Reference_ID": "REF-10",
              "@Section": "WASC-33 - Path Traversal"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Activation_Zone, Alternate_Terms, Architectural_Paradigms, Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Examples-Instances, Frameworks, Injection_Vector, Languages, Payload, Payload_Activation_Impact, Platforms, Purposes, References, Related_Attack_Patterns, Related_Vulnerabilities, Related_Weaknesses, Relevant_Security_Requirements, Solutions_and_Mitigations, Technical_Context, Typical_Likelihood_of_Exploit, Typical_Severity"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Mitigations"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated References, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-10-21",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "List the required resources to perform the following capec attack pattern: Phishing (CAPEC ID: 98)",
    "context": "",
    "output": "required resources:\nSome web development tools to put up a fake website.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "Some web development tools to put up a fake website.",
      "@Name": "Phishing (CAPEC ID: 98)",
      "attack_ptrn": {
        "@ID": "98",
        "@Name": "Phishing",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or \"fishing\" for information.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "151",
              "Exclude_Related": [
                {
                  "@Exclude_ID": "515"
                },
                {
                  "@Exclude_ID": "512"
                },
                {
                  "@Exclude_ID": "513"
                }
              ]
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "89"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "543"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "611"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "630"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "631"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "632"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Obtain domain name and certificate to spoof legitimate site] This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.",
              "Technique": [
                "Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)",
                "Optionally obtain a legitimate SSL certificate for the new domain name."
              ]
            },
            {
              "Step": "2",
              "Phase": "Explore",
              "Description": "[Explore legitimate website and create duplicate] An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.",
              "Technique": [
                "Use spidering software to get copy of web pages on legitimate site.",
                "Manually save copies of required web pages from legitimate site.",
                "Create new web pages that have the legitimate site's look and feel, but contain completely new content."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Convince user to enter sensitive information on attacker's site.] An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.",
              "Technique": [
                "Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.",
                "Place phishing link in post to online forum."
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Use stolen credentials to log into legitimate site] Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.",
              "Technique": "Log in to the legitimate site using another user's supplied credentials"
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.",
            "An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their \"hooks\" to many potential victims.",
            "An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.",
            "The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Medium",
            "#text": "Basic knowledge about websites: obtaining them, designing and implementing them, etc."
          }
        },
        "Resources_Required": {
          "Resource": "Some web development tools to put up a fake website."
        },
        "Indicators": {
          "Indicator": [
            "You receive an e-mail from an entity that you are not even a customer of prompting you to log into your account.",
            "You receive any e-mail that provides you with a link which takes you to a website on which you need to enter your log in information."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": "Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind."
        },
        "Example_Instances": {
          "Example": [
            "The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An attacker has just collected the target's online banking information which can now be used by the attacker to log into the target's bank account and transfer money to a bank account of the attackers' choice.",
            "An adversary may use BlueJacking, or Bluetooth Phishing to send unsolicited contact cards, messages, or pictures to nearby devices that are listening via Bluetooth. These messages may contain phishing content."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "451"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1566",
              "Entry_Name": "Phishing"
            },
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1598",
              "Entry_Name": "Phishing for Information"
            }
          ]
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-656"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attacker_Skills_or_Knowledge_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Example_Instances, Execution_Flow, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Example_Instances, Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Example_Instances, References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Related_Attack_Patterns, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2023-01-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Provide the resources needed so the attacker can use the attack pattern: ICMP Echo Request Ping (CAPEC ID: 285)",
    "context": "",
    "output": "Here is the list of resources required to implement attack pattern ICMP Echo Request Ping (CAPEC ID: 285):\nScanners or utilities that provide the ability to send custom ICMP queries.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "Scanners or utilities that provide the ability to send custom ICMP queries.",
      "@Name": "ICMP Echo Request Ping (CAPEC ID: 285)",
      "attack_ptrn": {
        "@ID": "285",
        "@Name": "ICMP Echo Request Ping",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": "An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss.",
        "Extended_Description": {
          "xhtml:p": "Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the adversary is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An adversary can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "292",
            "Exclude_Related": {
              "@Exclude_ID": "512"
            }
          }
        },
        "Prerequisites": {
          "Prerequisite": "The ability to send an ICMP type 8 query (Echo Request) to a remote target and receive an ICMP type 0 message (ICMP Echo Reply) in response. Any firewalls or access control lists between the sender and receiver must allow ICMP Type 8 and ICMP Type 0 messages in order for a ping operation to succeed."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "The adversary needs to know certain linux commands for this type of attack."
          }
        },
        "Resources_Required": {
          "Resource": "Scanners or utilities that provide the ability to send custom ICMP queries."
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Other",
            "Note": "A successful attack of this kind can identify open ports and available services on a system."
          }
        },
        "Mitigations": {
          "Mitigation": "Consider configuring firewall rules to block ICMP Echo requests and prevent replies. If not practical, monitor and consider action when a system has fast and a repeated pattern of requests that move incrementally through port numbers."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "200"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-33",
              "@Section": "Chapter 2: Scanning, pp. 44-51"
            },
            {
              "@External_Reference_ID": "REF-123"
            },
            {
              "@External_Reference_ID": "REF-124"
            },
            {
              "@External_Reference_ID": "REF-125"
            },
            {
              "@External_Reference_ID": "REF-34",
              "@Section": "Section 3.5.2 Ping Scan (-SP), pg. 58"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Description Summary, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, Description, Description Summary, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What are the required resources to execute the attack pattern: Transaction or Event Tampering via Application API Manipulation (CAPEC ID: 385)",
    "context": "",
    "output": "The resources required to execute Transaction or Event Tampering via Application API Manipulation (CAPEC ID: 385) are the following: A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy.",
      "@Name": "Transaction or Event Tampering via Application API Manipulation (CAPEC ID: 385)",
      "attack_ptrn": {
        "@ID": "385",
        "@Name": "Transaction or Event Tampering via Application API Manipulation",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "384"
          }
        },
        "Prerequisites": {
          "Prerequisite": "Targeted software is utilizing application framework APIs"
        },
        "Resources_Required": {
          "Resource": "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy."
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "471"
            },
            {
              "@CWE_ID": "345"
            },
            {
              "@CWE_ID": "346"
            },
            {
              "@CWE_ID": "602"
            },
            {
              "@CWE_ID": "311"
            }
          ]
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-327"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated @Abstraction"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Resources_Required"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What are the required resources to execute the attack pattern: Infrastructure Manipulation (CAPEC ID: 161)",
    "context": "",
    "output": "The resources required to execute Infrastructure Manipulation (CAPEC ID: 161) are the following: The attacker must be able to corrupt the infrastructure used by the client. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client intends to use.",
    "category": "CAPECFlan",
    "instruction_type": "capec_resources_required",
    "parsed_raw_data": {
      "Resources_Required": "The attacker must be able to corrupt the infrastructure used by the client. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client intends to use.",
      "@Name": "Infrastructure Manipulation (CAPEC ID: 161)",
      "attack_ptrn": {
        "@ID": "161",
        "@Name": "Infrastructure Manipulation",
        "@Abstraction": "Meta",
        "@Status": "Draft",
        "Description": "An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "CanPrecede",
            "@CAPEC_ID": "664"
          }
        },
        "Prerequisites": {
          "Prerequisite": "The targeted client must access the site via infrastructure that the attacker has co-opted and must fail to adequately verify that the communication channel is operating correctly (e.g. by verifying that they are, in fact, connected to the site they intended.)"
        },
        "Resources_Required": {
          "Resource": "The attacker must be able to corrupt the infrastructure used by the client. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client intends to use."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "923"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2023-01-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            }
          ]
        }
      }
    }
  }
]