[
  {
    "instruction": "List examples for 'Interface Manipulation (CAPEC ID: 113)' attack pattern",
    "context": "",
    "output": "Example instances for attack pattern - Interface Manipulation (CAPEC ID: 113) are: An adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution.\nAPI methods not intended for production, such as debugging or testing APIs, may not be disabled when deploying in a production environment. As a result, dangerous functionality can be exposed within the production environment, which an adversary can leverage to execute additional attacks.\nSoC components contain insufficient identifiers, which allows an adversary to reset the device at will or read sensitive data from the device.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": [
        "An adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution.",
        "API methods not intended for production, such as debugging or testing APIs, may not be disabled when deploying in a production environment. As a result, dangerous functionality can be exposed within the production environment, which an adversary can leverage to execute additional attacks.",
        "SoC components contain insufficient identifiers, which allows an adversary to reset the device at will or read sensitive data from the device."
      ],
      "@Name": "Interface Manipulation (CAPEC ID: 113)",
      "attack_ptrn": {
        "@ID": "113",
        "@Name": "Interface Manipulation",
        "@Abstraction": "Meta",
        "@Status": "Draft",
        "Description": "An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way.",
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Medium",
        "Prerequisites": {
          "Prerequisite": "The target system must expose interface functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the interface or decrypting/de-obfuscating client-server exchanges."
        },
        "Resources_Required": {
          "Resource": "The requirements vary depending upon the nature of the interface. For example, application-layer APIs related to the processing of the HTTP protocol may require one or more of the following: an Adversary-In-The-Middle (CAPEC-94) proxy, a web browser, or a programming/scripting language."
        },
        "Example_Instances": {
          "Example": [
            "An adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution.",
            "API methods not intended for production, such as debugging or testing APIs, may not be disabled when deploying in a production environment. As a result, dangerous functionality can be exposed within the production environment, which an adversary can leverage to execute additional attacks.",
            "SoC components contain insufficient identifiers, which allows an adversary to reset the device at will or read sensitive data from the device."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "1192"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Attack_Prerequisites, Description Summary, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Activation_Zone, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated @Name, @Status, Description, Example_Instances, Prerequisites, Related_Weaknesses, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Weaknesses, Resources_Required"
            }
          ],
          "Previous_Entry_Name": [
            {
              "@Date": "2015-12-07",
              "#text": "API Abuse/Misuse"
            },
            {
              "@Date": "2020-12-17",
              "#text": "API Manipulation"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Given the attack pattern: Artificially Inflate File Sizes (CAPEC ID: 572), give me an example instances for this pattern",
    "context": "",
    "output": "Sure. Examples can be: An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": "An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions.",
      "@Name": "Artificially Inflate File Sizes (CAPEC ID: 572)",
      "attack_ptrn": {
        "@ID": "572",
        "@Name": "Artificially Inflate File Sizes",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": "An adversary modifies file contents by adding data to files for several reasons. Many different attacks could \u201cfollow\u201d this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity."
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "165"
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Availability",
              "Impact": "Resource Consumption",
              "Note": "Denial of Service"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions."
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1027.001",
            "Entry_Name": "Obfuscated Files or Information:Binary Padding"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2015-11-09"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated @Abstraction, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Consequences, Description, Example_Instances, Likelihood_Of_Attack, Taxonomy_Mappings, Typical_Severity"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "How can I implement attack pattern - iFrame Overlay (CAPEC ID: 222)",
    "context": "",
    "output": "Examples of iFrame Overlay (CAPEC ID: 222) are: The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled \"Don't Click.\" This button is aligned with the invisible \"Update\" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to their Twitter profile.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": "The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled \"Don't Click.\" This button is aligned with the invisible \"Update\" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to their Twitter profile.",
      "@Name": "iFrame Overlay (CAPEC ID: 222)",
      "attack_ptrn": {
        "@ID": "222",
        "@Name": "iFrame Overlay",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.",
        "Extended_Description": {
          "xhtml:p": "While being logged in to some target system, the victim visits the adversarys' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "103",
            "Exclude_Related": {
              "@Exclude_ID": "403"
            }
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Craft an iFrame Overlay page] The adversary crafts a malicious iFrame overlay page.",
              "Technique": "The adversary leverages iFrame overlay capabilities to craft a malicious iFrame overlay page."
            },
            {
              "Step": "2",
              "Phase": "Exploit",
              "Description": "[adversary tricks victim to load the iFrame overlay page] adversary utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page.",
              "Technique": [
                "Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site.",
                "Trick the victim to the malicious site by manipulating URLs on a site trusted by the victim.",
                "Trick the victim to the malicious site through a cross-site scripting attack."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Trick victim into interacting with the iFrame overlay page in the desired manner] The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.",
              "Technique": [
                "Hide action controls over very commonly used functionality.",
                "Hide action controls over very psychologically tempting content."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "High",
            "#text": "Crafting the proper malicious site and luring the victim to this site is not a trivial task."
          }
        },
        "Resources_Required": {
          "Resource": "None: No specialized resources are required to execute this type of attack."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Authorization",
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            },
            {
              "Scope": [
                "Accountability",
                "Authentication",
                "Authorization",
                "Non-Repudiation"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Access Control",
                "Authorization"
              ],
              "Impact": "Bypass Protection Mechanism"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Configuration: Disable iFrames in the Web browser.",
            "Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.",
            "Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames."
          ]
        },
        "Example_Instances": {
          "Example": "The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled \"Don't Click.\" This button is aligned with the invisible \"Update\" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to their Twitter profile."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "1021"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-84"
            },
            {
              "@External_Reference_ID": "REF-85"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Description, Example_Instances"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Description, Execution_Flow, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Given the attack pattern: Avoid Security Tool Identification by Adding Data (CAPEC ID: 655), give me an example instances for this pattern",
    "context": "",
    "output": "Sure. Examples can be: Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": "Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures.",
      "@Name": "Avoid Security Tool Identification by Adding Data (CAPEC ID: 655)",
      "attack_ptrn": {
        "@ID": "655",
        "@Name": "Avoid Security Tool Identification by Adding Data",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": [
            "An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions.",
            "In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash."
          ]
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "572"
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Accountability",
              "Impact": [
                "Hide Activities",
                "Bypass Protection Mechanism"
              ]
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures."
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1027.001",
            "Entry_Name": "Obfuscated Files or Information:Binary padding"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2020-07-30"
          },
          "Modification": {
            "Modification_Name": "CAPEC Content Team",
            "Modification_Organization": "The MITRE Corporation",
            "Modification_Date": "2021-06-24",
            "Modification_Comment": "Updated Example_Instances"
          }
        }
      }
    }
  },
  {
    "instruction": "Are there any examples for 'Forced Integer Overflow (CAPEC ID: 92)' attack pattern",
    "context": "",
    "output": "Yes. You can have a look at the following example: Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": [
        "Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544"
      ],
      "@Name": "Forced Integer Overflow (CAPEC ID: 92)",
      "attack_ptrn": {
        "@ID": "92",
        "@Name": "Forced Integer Overflow",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "128"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "The first step is exploratory meaning the attacker looks for an integer variable that they can control."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range."
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "The integer variable is forced to have a value out of range which set its final value to an unexpected value."
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "The target host acts on the data and unexpected behavior may happen."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The attacker can manipulate the value of an integer variable utilized by the target host.",
            "The target host does not do proper range checking on the variable before utilizing it.",
            "When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)"
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "An attacker can simply overflow an integer by inserting an out of range value."
            },
            {
              "@Level": "High",
              "#text": "Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level."
            }
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Availability",
              "Impact": "Unreliable Execution"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Use a language or compiler that performs automatic bounds checking.",
            "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.",
            "Use an abstraction library to abstract away risky APIs. Not a complete solution.",
            "Always do bound checking before consuming user input data."
          ]
        },
        "Example_Instances": {
          "Example": [
            "Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544",
            {
              "xhtml:p": "The following code illustrates an integer overflow. The declaration of total integer as \"unsigned short int\" assumes that the length of the first and second arguments fits in such an integer [REF-547], [REF-548].",
              "xhtml:div": {
                "@style": "margin-left:1em;",
                "@class": "informative",
                "xhtml:br": [
                  null,
                  null,
                  null,
                  null,
                  null,
                  null
                ],
                "xhtml:div": {
                  "@style": "margin-left:1em;",
                  "xhtml:div": {
                    "@style": "margin-left:1em;",
                    "xhtml:br": null,
                    "#text": "printf(\"Usage: prog_name <string1> <string2>\\n\");exit(-1);"
                  },
                  "xhtml:br": [
                    null,
                    null,
                    null,
                    null,
                    null,
                    null
                  ],
                  "#text": "if (argc !=3){\n                     }unsigned short int total;total = strlen(argv[1])+strlen(argv[2])+1;char * buff = (char *)malloc(total);strcpy(buff, argv[1]);strcpy(buff, argv[2]);"
                },
                "#text": "include <stdlib.h>include <string.h>include <stdio.h>\n                  int main (int argc, char *const *argv){\n                  }"
              }
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "190"
            },
            {
              "@CWE_ID": "128"
            },
            {
              "@CWE_ID": "120"
            },
            {
              "@CWE_ID": "122"
            },
            {
              "@CWE_ID": "196"
            },
            {
              "@CWE_ID": "680"
            },
            {
              "@CWE_ID": "697"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "WASC",
            "Entry_ID": "03",
            "Entry_Name": "Integer Overflows"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-131"
            },
            {
              "@External_Reference_ID": "REF-547",
              "@Section": "Test Case ID 1511"
            },
            {
              "@External_Reference_ID": "REF-548",
              "@Section": "Page 152, Figure 5-1"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Example_Instances, Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Mitigations, References, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Are there any examples for 'Accessing/Intercepting/Modifying HTTP Cookies (CAPEC ID: 31)' attack pattern",
    "context": "",
    "output": "Yes. You can have a look at the following example: There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the adversary in the middle attack (CAPEC-94) relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the adversary to accomplish if no other protection mechanisms are in place. See also: CVE-2010-5148 , CVE-2016-0353",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": "There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the adversary in the middle attack (CAPEC-94) relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the adversary to accomplish if no other protection mechanisms are in place. See also: CVE-2010-5148 , CVE-2016-0353",
      "@Name": "Accessing/Intercepting/Modifying HTTP Cookies (CAPEC ID: 31)",
      "attack_ptrn": {
        "@ID": "31",
        "@Name": "Accessing/Intercepting/Modifying HTTP Cookies",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "39"
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "157",
              "Exclude_Related": {
                "@Exclude_ID": "513"
              }
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Obtain copy of cookie] The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.",
              "Technique": [
                "Sniff cookie using a network sniffer such as Wireshark",
                "Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.",
                "Steal cookie via a cross-site scripting attack.",
                "Guess cookie contents if it contains predictable information."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Obtain sensitive information from cookie] The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.",
              "Technique": [
                "If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.",
                "Analyze the cookie's contents to determine whether it contains any sensitive information."
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Modify cookie to subvert security controls.] The adversary may be able to modify or replace cookies to bypass security controls in the application.",
              "Technique": [
                "Modify logical parts of cookie and send it back to server to observe the effects.",
                "Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.",
                "Modify cookie bitwise and send it back to server to observe the effects.",
                "Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a \"points balance\" for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "Target server software must be a HTTP daemon that relies on cookies.",
            "The cookies must contain sensitive information.",
            "The adversary must be able to make HTTP requests to the server, and the cookie must be contained in the reply."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "To overwrite session cookie data, and submit targeted attacks via HTTP"
            },
            {
              "@Level": "High",
              "#text": "Exploiting a remote buffer overflow generated by attack"
            }
          ]
        },
        "Resources_Required": {
          "Resource": "A utility that allows for the viewing and modification of cookies. Many modern web browsers support this behavior."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Design: Use input validation for cookies",
            "Design: Generate and validate MAC for cookies",
            "Implementation: Use SSL/TLS to protect cookie in transit",
            "Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software."
          ]
        },
        "Example_Instances": {
          "Example": "There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the adversary in the middle attack (CAPEC-94) relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the adversary to accomplish if no other protection mechanisms are in place. See also: CVE-2010-5148 , CVE-2016-0353"
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "565"
            },
            {
              "@CWE_ID": "302"
            },
            {
              "@CWE_ID": "311"
            },
            {
              "@CWE_ID": "113"
            },
            {
              "@CWE_ID": "539"
            },
            {
              "@CWE_ID": "20"
            },
            {
              "@CWE_ID": "315"
            },
            {
              "@CWE_ID": "384"
            },
            {
              "@CWE_ID": "472"
            },
            {
              "@CWE_ID": "602"
            },
            {
              "@CWE_ID": "642"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1539",
            "Entry_Name": "Steal Web Session Cookie"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-1"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Execution_Flow, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Execution_Flow, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Example_Instances, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "How can I implement attack pattern - Exploitation of Improperly Controlled Registers (CAPEC ID: 680)",
    "context": "",
    "output": "Examples of Exploitation of Improperly Controlled Registers (CAPEC ID: 680) are: During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": "During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.",
      "@Name": "Exploitation of Improperly Controlled Registers (CAPEC ID: 680)",
      "attack_ptrn": {
        "@ID": "680",
        "@Name": "Exploitation of Improperly Controlled Registers",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": "An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user."
        },
        "Extended_Description": {
          "xhtml:p": "Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "1",
              "Exclude_Related": {
                "@Exclude_ID": "513"
              }
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "180",
              "Exclude_Related": {
                "@Exclude_ID": "513"
              }
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "Awareness of the hardware being leveraged.",
            "Access to the hardware being leveraged."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "High",
            "#text": "Intricate knowledge of registers."
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.",
            "Ensure security lock bit protections are reviewed for design inconsistencies and common weaknesses.",
            "Test security lock programming flow in both pre-silicon and post-silicon environments.",
            "Leverage automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.",
            "Ensure that measurement data is stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process."
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "1224"
            },
            {
              "@CWE_ID": "1231"
            },
            {
              "@CWE_ID": "1233"
            },
            {
              "@CWE_ID": "1262"
            },
            {
              "@CWE_ID": "1283"
            }
          ]
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-693"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2021-10-21"
          }
        }
      }
    }
  },
  {
    "instruction": "Give me an usage example for attack pattern - Blue Boxing (CAPEC ID: 5)",
    "context": "",
    "output": "An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": "An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available.",
      "@Name": "Blue Boxing (CAPEC ID: 5)",
      "attack_ptrn": {
        "@ID": "5",
        "@Name": "Blue Boxing",
        "@Abstraction": "Detailed",
        "@Status": "Obsolete",
        "Description": {
          "xhtml:p": [
            "This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.",
            {
              "xhtml:b": "This attack pattern is included in CAPEC for historical purposes."
            }
          ]
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "220"
          }
        },
        "Prerequisites": {
          "Prerequisite": "System must use weak authentication mechanisms for administrative functions."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades."
          }
        },
        "Resources_Required": {
          "Resource": "CCITT-5 or other vulnerable lines, with the ability to send tones such as combined 2,400 Hz and 2,600 Hz tones to the switch"
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Availability",
              "Impact": "Resource Consumption",
              "Note": "Denial of Service"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Implementation: Upgrade phone lines. Note this may be prohibitively expensive",
            "Use strong access control such as two factor access control for administrative access to the switch"
          ]
        },
        "Example_Instances": {
          "Example": "An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "285"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-1"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2023-01-24",
              "Modification_Comment": "Updated @Status, Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "List examples for 'Clickjacking (CAPEC ID: 103)' attack pattern",
    "context": "",
    "output": "Example instances for attack pattern - Clickjacking (CAPEC ID: 103) are: A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which they subscribe with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.\nIn reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an adversary's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": [
        "A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which they subscribe with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.",
        "In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an adversary's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service."
      ],
      "@Name": "Clickjacking (CAPEC ID: 103)",
      "attack_ptrn": {
        "@ID": "103",
        "@Name": "Clickjacking",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.",
        "Extended_Description": {
          "xhtml:p": "While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "173"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Experiment",
              "Description": "[Craft a clickjacking page] The adversary utilizes web page layering techniques to try to craft a malicious clickjacking page",
              "Technique": [
                "The adversary leveraged iframe overlay capabilities to craft a malicious clickjacking page",
                "The adversary leveraged Flash file overlay capabilities to craft a malicious clickjacking page",
                "The adversary leveraged Silverlight overlay capabilities to craft a malicious clickjacking page",
                "The adversary leveraged cross-frame scripting to craft a malicious clickjacking page"
              ]
            },
            {
              "Step": "2",
              "Phase": "Exploit",
              "Description": "[Adversary lures victim to clickjacking page] Adversary utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.",
              "Technique": [
                "Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site.",
                "Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim.",
                "Lure the victim to the malicious site through a cross-site scripting attack."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Trick victim into interacting with the clickjacking page in the desired manner] The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.",
              "Technique": [
                "Hide action controls over very commonly used functionality.",
                "Hide action controls over very psychologically tempting content."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The victim is communicating with the target application via a web based UI and not a thick client",
            "The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.",
            "The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)",
            "The victim has an active session with the target system.",
            "The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system"
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "High",
            "#text": "Crafting the proper malicious site and luring the victim to this site are not trivial tasks."
          }
        },
        "Resources_Required": {
          "Resource": "None: No specialized resources are required to execute this type of attack."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Availability",
              "Impact": "Unreliable Execution"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.",
            "Turn off JavaScript, Flash and disable CSS.",
            "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which they subscribe with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.",
              "In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an adversary's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service."
            ]
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "1021"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "OWASP Attacks",
            "Entry_Name": "Clickjacking"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-619",
            "@Section": "Testing for Clickjacking"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Phases, Description Summary, Examples-Instances, Related_Weaknesses, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Example_Instances"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated References, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Given the attack pattern: Manipulating State (CAPEC ID: 74), give me an example instances for this pattern",
    "context": "",
    "output": "Sure. Examples can be: During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.\n- An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.",
    "category": "CAPECFlan",
    "instruction_type": "capec_example_instances",
    "parsed_raw_data": {
      "Example_Instances": [
        "During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.",
        "An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application."
      ],
      "@Name": "Manipulating State (CAPEC ID: 74)",
      "attack_ptrn": {
        "@ID": "74",
        "@Name": "Manipulating State",
        "@Abstraction": "Meta",
        "@Status": "Stable",
        "Description": {
          "xhtml:p": [
            "The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.",
            "State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.",
            "If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data."
          ]
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target."
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "Having determined how to manipulate the state, the adversary can perform illegitimate actions."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.",
            "There is a faulty finite state machine in the hardware logic that can be exploited."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Medium",
            "#text": "The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way."
          }
        },
        "Resources_Required": {
          "Resource": "The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox)."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Availability",
              "Impact": "Unreliable Execution"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.",
            "Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.",
            "Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.",
            "All possible states must be handled by hardware finite state machines."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.",
              "An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application."
            ]
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "372"
            },
            {
              "@CWE_ID": "315"
            },
            {
              "@CWE_ID": "353"
            },
            {
              "@CWE_ID": "693"
            },
            {
              "@CWE_ID": "1245"
            },
            {
              "@CWE_ID": "1253"
            },
            {
              "@CWE_ID": "1265"
            },
            {
              "@CWE_ID": "1271"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Description Summary, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Probing_Techniques, Resources_Required, Solutions_and_Mitigations"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated @Name, Consequences, Description, Execution_Flow, Mitigations, Prerequisites, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Execution_Flow, Related_Weaknesses"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2020-07-30",
            "#text": "Manipulating User State"
          }
        }
      }
    }
  }
]