[
  {
    "instruction": "Install Malicious Extension\n\nMany software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more.\n\nWhat is a short summary of the above text?",
    "context": "",
    "output": "Install Malicious Extension\n\nAn adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Install Malicious Extension\n\nMany software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more.",
      "Description": "Install Malicious Extension\n\nAn adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.",
      "attack_ptrn": {
        "@ID": "698",
        "@Name": "Install Malicious Extension",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": {
          "xhtml:p": "An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts."
        },
        "Extended_Description": {
          "xhtml:p": "Many software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "542"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic."
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.",
              "Technique": [
                "Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.",
                "User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The adversary must craft malware based on the type of software and system(s) they intend to exploit.",
            "If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Medium",
              "#text": "Ability to create malicious extensions that can exploit specific software applications and systems."
            },
            {
              "@Level": "Medium",
              "#text": "Optional: Ability to exploit target system(s) via other means in order to gain entry."
            }
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control"
              ],
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Integrity",
                "Access Control"
              ],
              "Impact": "Modify Data"
            },
            {
              "Scope": [
                "Authorization",
                "Access Control"
              ],
              "Impact": [
                "Execute Unauthorized Commands",
                "Alter Execution Logic",
                "Gain Privileges"
              ]
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Only install extensions/plugins from official/verifiable sources.",
            "Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.",
            "Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.",
            "Implement an extension/plugin allow list, based on the given security policy.",
            "If applicable, confirm extensions/plugins are properly signed by the official developers.",
            "For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background."
          ]
        },
        "Example_Instances": {
          "Example": [
            {
              "xhtml:p": "In January 2018, Palo Alto's Unit 42 reported that a malicious Internet Information Services (IIS) extension they named RGDoor was used to create a backdoor into several Middle Eastern government organizations, as well as a financial institution and an educational institution. This malware was used in conjunction with the TwoFace webshell and allowed the adversaries to upload/download files and execute unauthorized commands. [REF-740]"
            },
            {
              "xhtml:p": "In December 2018, it was reported that North Korea-based APT Kimusky (also known as Velvet Chollima) infected numerous legitimate academic organizations within the U.S., many specializing in biomedical engineering, with a malicious Google Chrome extension. Dubbed \"Operation STOLEN PENCIL\", the attack entailed conducting spear-phishing attacks to trick victims into installing a malicious PDF reader named \"Auto Font Manager\". Once installed, the malware allowed adversaries to steal cookies and site passwords, as well as forward emails from some compromised accounts. [REF-741]"
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "507"
            },
            {
              "@CWE_ID": "829"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1176",
              "Entry_Name": "Browser Extensions"
            },
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1505.004",
              "Entry_Name": "Server Software Component: IIS Components"
            }
          ]
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-740"
            },
            {
              "@External_Reference_ID": "REF-741"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2022-09-29"
          }
        }
      }
    }
  },
  {
    "instruction": "Write a short summary for this description: Cross-Domain Search Timing\n\nFor GET requests an attacker could for instance leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events. For the POST requests, an attacker could leverage the \"iframe\" element and leverage the \"onload()\" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.\n\nSummary:",
    "context": "",
    "output": "Cross-Domain Search Timing\n\nAn attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Cross-Domain Search Timing\n\nFor GET requests an attacker could for instance leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events. For the POST requests, an attacker could leverage the \"iframe\" element and leverage the \"onload()\" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.",
      "Description": "Cross-Domain Search Timing\n\nAn attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.",
      "attack_ptrn": {
        "@ID": "462",
        "@Name": "Cross-Domain Search Timing",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.",
        "Extended_Description": {
          "xhtml:p": "For GET requests an attacker could for instance leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events. For the POST requests, an attacker could leverage the \"iframe\" element and leverage the \"onload()\" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information."
        },
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "54"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Determine service to send cross domain requests to] The adversary first determines which service they will be sending the requests to"
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Send and time various cross domain requests] Adversaries will send a variety of cross domain requests to the target, timing the time it takes for the target to respond. Although they won't be able to read the response, the adversary can use the time to infer information about what the service did upon receiving the request.",
              "Technique": [
                "Using a GET request, leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events to time a response",
                "Using a POST request, leverage the \"iframe\" element and use the \"onload()\" event to time a response"
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Infer information from the response time] After obtaining reponse times to various requests, the adversary will compare these times and infer potentially sensitive information. An example of this could be asking a service to retrieve information and random usernames. If one request took longer to process, it is likely that a user with that username exists, which could be useful knowledge to an adversary.",
              "Technique": "Compare timing of different requests to infer potentially sensitive information about a target service"
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "Ability to issue GET / POST requests cross domainJava Script is enabled in the victim's browserThe victim has an active session with the site from which the attacker would like to receive informationThe victim's site does not protect search functionality with cross site request forgery (CSRF) protection"
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Some knowledge of Java Script"
          }
        },
        "Resources_Required": {
          "Resource": "Ability to issue GET / POST requests cross domain"
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Read Data"
          }
        },
        "Mitigations": {
          "Mitigation": [
            "Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests",
            "Design: The browser's security model could be fixed to not leak timing information for cross domain requests"
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "385"
            },
            {
              "@CWE_ID": "352"
            },
            {
              "@CWE_ID": "208"
            }
          ]
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-399"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Consequences"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Mitigations"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-10-21",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Block Logging to Central Repository\n\nIn the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.\nIn the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.\n\n\nWhat is a short summary of the above text?",
    "context": "",
    "output": "Block Logging to Central Repository\n\nAn adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Block Logging to Central Repository\n\nIn the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.\nIn the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.\n",
      "Description": "Block Logging to Central Repository\n\nAn adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.",
      "attack_ptrn": {
        "@ID": "571",
        "@Name": "Block Logging to Central Repository",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": "An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise."
        },
        "Extended_Description": {
          "xhtml:p": [
            "In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.",
            "In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository."
          ]
        },
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "161",
            "Exclude_Related": {
              "@Exclude_ID": "515"
            }
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1562.002",
              "Entry_Name": "Impair Defenses: Disable Windows Event Logging"
            },
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1562.002",
              "Entry_Name": "Impair Defenses: Impair Command History Logging"
            },
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1562.006",
              "Entry_Name": "Impair Defenses: Indicator Blocking"
            },
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1562.008",
              "Entry_Name": "Impair Defenses: Disable Cloud Logs"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2015-11-09"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References, Typical_Severity"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Related_Attack_Patterns, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Description, Extended_Description, Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Stored XSS\n\nInitially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.\nSummarize the aforementioned description in one paragraph.",
    "context": "",
    "output": "Stored XSS\n\nAn adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Stored XSS\n\nInitially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.",
      "Description": "Stored XSS\n\nAn adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input.",
      "attack_ptrn": {
        "@ID": "592",
        "@Name": "Stored XSS",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input.",
        "Extended_Description": {
          "xhtml:p": "Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines."
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "63"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey the application for stored user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application. The adversary is looking for areas where user input is stored, such as user profiles, shopping carts, file managers, forums, blogs, and logs.",
              "Technique": [
                "Use a spidering tool to follow and record all links and analyze the web pages to find entry points.",
                "Use a proxy tool to record all links visited during a manual traversal of the web application.",
                "Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Probe identified potential entry points for stored XSS vulnerability] The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.",
              "Technique": [
                "Use a list of XSS probe strings to submit script in input fields that could be stored by the web application. If possible, the probe strings contain a unique identifier so they can be queried for after submitting to see if they are stored.",
                "Use a list of HTML special characters to submit in input fields that could be stored by the web application and check if they were properly encoded, replaced, or filtered out."
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Store malicious XSS content] Once the adversary has determined which stored locations are vulnerable to XSS, they will interact with the web application to store the malicious content. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.",
              "Technique": [
                "Store a malicious script on a page that will execute when viewed by the victim.",
                "Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks."
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Get victim to view stored content] In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.",
              "Technique": [
                "Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.",
                "Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "An application that leverages a client-side web browser with scripting enabled.",
            "An application that fails to adequately sanitize or encode untrusted input.",
            "An application that stores information provided by the user in data storage of some kind."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Medium",
            "#text": "Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application."
          }
        },
        "Resources_Required": {
          "Resource": "None: No specialized resources are required to execute this type of attack."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data",
              "Note": "A successful Stored XSS attack can enable an adversary to exfiltrate sensitive information from the application."
            },
            {
              "Scope": [
                "Confidentiality",
                "Authorization",
                "Access Control"
              ],
              "Impact": "Gain Privileges",
              "Note": "A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access."
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application."
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data",
              "Note": "A successful Stored XSS attack can allow an adversary to tamper with application data."
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Use browser technologies that do not allow client-side scripting.",
            "Utilize strict type, character, and encoding enforcement.",
            "Ensure that all user-supplied input is validated before being stored."
          ]
        },
        "Example_Instances": {
          "Example": [
            "An adversary determines that a system uses a web based interface for administration. The adversary creates a new user record and supplies a malicious script in the user name field. The user name field is not validated by the system and a new log entry is created detailing the creation of the new user. Later, an administrator reviews the log in the administrative console. When the administrator comes across the new user entry, the browser sees a script and executes it, stealing the administrator's authentication cookie and forwarding it to the adversary. An adversary then uses the received authentication cookie to log in to the system as an administrator, provided that the administrator console can be accessed remotely.",
            "An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. An adversary embeds JavaScript in the image tags of their message. The adversary then sends the victim an email advertising free goods and provides a link to the form for how to collect. When the victim visits the forum and reads the message, the malicious script is executed within the victim's browser."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "79"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-605",
            "@Section": "Testing for Stored Cross Site Scripting"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2017-04-15"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Example_Instances"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Write a short summary for this description: Exploitation of Improperly Controlled Hardware Security Identifiers\n\nA System-on-Chip (SoC) often implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, these mechanisms may be exploitable due to any number of the following:\n\n\t* The security identifiers are missing\n\t* The security identifiers are incorrectly implemented or generated\n\t* The security identifiers are generated with an obsolete encoding\n\t* The security identifiers are generated and implemented correctly, but are improperly protected\n\nIf the security identifiers leveraged by the SoC are missing or misconfigured, an adversary may be able to take advantage of this shortcoming to circumvent the intended access controls. This could result in the adversary gaining unintended access, performing a Denial of Service (DoS), escalating privileges, or spoofing actions from a trusted agent.\n\nSummary:",
    "context": "",
    "output": "Exploitation of Improperly Controlled Hardware Security Identifiers\n\nAn adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System-on-Chip (SoC), to read/write data or execute a given action.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Exploitation of Improperly Controlled Hardware Security Identifiers\n\nA System-on-Chip (SoC) often implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, these mechanisms may be exploitable due to any number of the following:\n\n\t* The security identifiers are missing\n\t* The security identifiers are incorrectly implemented or generated\n\t* The security identifiers are generated with an obsolete encoding\n\t* The security identifiers are generated and implemented correctly, but are improperly protected\n\nIf the security identifiers leveraged by the SoC are missing or misconfigured, an adversary may be able to take advantage of this shortcoming to circumvent the intended access controls. This could result in the adversary gaining unintended access, performing a Denial of Service (DoS), escalating privileges, or spoofing actions from a trusted agent.",
      "Description": "Exploitation of Improperly Controlled Hardware Security Identifiers\n\nAn adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System-on-Chip (SoC), to read/write data or execute a given action.",
      "attack_ptrn": {
        "@ID": "681",
        "@Name": "Exploitation of Improperly Controlled Hardware Security Identifiers",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": "An adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System-on-Chip (SoC), to read/write data or execute a given action."
        },
        "Extended_Description": {
          "xhtml:p": [
            "A System-on-Chip (SoC) often implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, these mechanisms may be exploitable due to any number of the following:",
            "If the security identifiers leveraged by the SoC are missing or misconfigured, an adversary may be able to take advantage of this shortcoming to circumvent the intended access controls. This could result in the adversary gaining unintended access, performing a Denial of Service (DoS), escalating privileges, or spoofing actions from a trusted agent."
          ],
          "xhtml:ul": {
            "xhtml:li": [
              "The security identifiers are missing",
              "The security identifiers are incorrectly implemented or generated",
              "The security identifiers are generated with an obsolete encoding",
              "The security identifiers are generated and implemented correctly, but are improperly protected"
            ]
          }
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "1",
              "Exclude_Related": {
                "@Exclude_ID": "513"
              }
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "180",
              "Exclude_Related": {
                "@Exclude_ID": "513"
              }
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "Awareness of the hardware being leveraged.",
            "Access to the hardware being leveraged."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Medium",
              "#text": "Ability to execute actions within the SoC."
            },
            {
              "@Level": "High",
              "#text": "Intricate knowledge of the identifiers being utilized."
            }
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Review generation of security identifiers for design inconsistencies and common weaknesses.",
            "Review security identifier decoders for design inconsistencies and common weaknesses.",
            "Test security identifier definition, access, and programming flow in both pre-silicon and post-silicon environments."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "A system contains a register (divided into four 32-bit registers) that is used to store a 128-bit AES key for encryption/decryption, in addition to an access-policy register. The access-policy register determines which agents may access the AES-key registers, based on a corresponding security identifier. It is assumed the system has two agents: a Main-controller and an Aux-controller, with respective security identifiers \"1\" and \"2\". The Main-controller (ID \"1\") is meant to have access to the AES-key registers, while the Aux-controller (ID \"2\") has access to the access-policy register. If a SoC incorrectly generates security identifier \"1\" for both agents, then both agents will have access to the AES-key registers. This could further result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended access."
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "1259"
            },
            {
              "@CWE_ID": "1267"
            },
            {
              "@CWE_ID": "1270"
            },
            {
              "@CWE_ID": "1294"
            },
            {
              "@CWE_ID": "1302"
            }
          ]
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-694"
            },
            {
              "@External_Reference_ID": "REF-695"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2021-10-21"
          }
        }
      }
    }
  },
  {
    "instruction": "Generate a short summary:\nRead Sensitive Constants Within an Executable\n\nOne specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.\nAdditionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants.\n\n\nSummary:",
    "context": "",
    "output": "Read Sensitive Constants Within an Executable\n\nAn adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Read Sensitive Constants Within an Executable\n\nOne specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.\nAdditionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants.\n",
      "Description": "Read Sensitive Constants Within an Executable\n\nAn adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.",
      "attack_ptrn": {
        "@ID": "191",
        "@Name": "Read Sensitive Constants Within an Executable",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": "An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis."
        },
        "Extended_Description": {
          "xhtml:p": [
            "One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.",
            "Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants."
          ]
        },
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "167",
            "Exclude_Related": {
              "@Exclude_ID": "515"
            }
          }
        },
        "Prerequisites": {
          "Prerequisite": "Access to a binary or executable such that it can be analyzed by various utilities."
        },
        "Resources_Required": {
          "Resource": "Binary analysis programs such as 'strings' or 'grep', or hex editors."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "798"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1552.001",
            "Entry_Name": "Unsecured Credentials:Credentials in files"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-51",
              "@Section": "Decompiler"
            },
            {
              "@External_Reference_ID": "REF-52",
              "@Section": "Debugger"
            },
            {
              "@External_Reference_ID": "REF-53",
              "@Section": "Disassembler"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "xhtml:p": [
              "More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed.",
              "Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as \"jar\" are used to extract the compiled class files. Next, a java decompiler such as \"DJ\" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs."
            ]
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Description Summary, Other_Notes, References, Related_Attack_Patterns, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Prerequisites, Description Summary, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated @Name, Description, Related_Attack_Patterns, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2020-07-30",
            "#text": "Read Sensitive Strings Within an Executable"
          }
        }
      }
    }
  },
  {
    "instruction": "Port Scanning\n\nAlthough common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration.\nDepending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host.\n\n\nWhat is a short summary of the above text?",
    "context": "",
    "output": "Port Scanning\n\nAn adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Port Scanning\n\nAlthough common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration.\nDepending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host.\n",
      "Description": "Port Scanning\n\nAn adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.",
      "attack_ptrn": {
        "@ID": "300",
        "@Name": "Port Scanning",
        "@Abstraction": "Standard",
        "@Status": "Stable",
        "Description": "An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.",
        "Extended_Description": {
          "xhtml:p": [
            "Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration.",
            "Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host."
          ]
        },
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "169"
          }
        },
        "Prerequisites": {
          "Prerequisite": "The adversary requires logical access to the target's network in order to carry out this type of attack."
        },
        "Resources_Required": {
          "Resource": "The adversary requires a network mapping/scanning tool, or must conduct socket programming on the command line. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Other"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": [
                "Bypass Protection Mechanism",
                "Hide Activities"
              ]
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "200"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1046",
            "Entry_Name": "Network Service Scanning"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-33",
              "@Section": "Chapter 2: Scanning, pg. 54"
            },
            {
              "@External_Reference_ID": "REF-128"
            },
            {
              "@External_Reference_ID": "REF-158"
            },
            {
              "@External_Reference_ID": "REF-34",
              "@Section": "Section 4.1 Introduction to Port Scanning, pg. 73"
            },
            {
              "@External_Reference_ID": "REF-130"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "#text": "There are four types of port status that this type of attack aims to identify: 1) Open Port: The port is open and a firewall does not block access to the port, 2) Closed Port: The port is closed (i.e. no service resides there) and a firewall does not block access to the port, 3) Filtered Port: A firewall or ACL rule is blocking access to the port in some manner, although the presence of a listening service on the port cannot be verified, and 4) Unfiltered Port: A firewall or ACL rule is not blocking access to the port, although the presence of a listening service on the port cannot be verified."
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Description, Notes"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What is a shorter version of this:\n\nURL Encoding\n\nA URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).\nFor instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.\nIt can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).\n\n\nSummary:",
    "context": "",
    "output": "URL Encoding\n\nThis attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "URL Encoding\n\nA URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).\nFor instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.\nIt can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).\n",
      "Description": "URL Encoding\n\nThis attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.",
      "attack_ptrn": {
        "@ID": "72",
        "@Name": "URL Encoding",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.",
        "Extended_Description": {
          "xhtml:p": [
            "A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).",
            "For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.",
            "It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section)."
          ]
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "267"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey web application for URLs with parameters] Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.",
              "Technique": "Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Probe URLs to locate vulnerabilities] The adversary uses the URLs gathered in the \"Explore\" phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.",
              "Technique": [
                "Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.",
                "Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Inject special characters into URL parameters] Using the information gathered in the \"Experiment\" phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The application should accepts and decodes URL input.",
            "The application performs insufficient filtering/canonicalization on the URLs."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "An adversary can try special characters in the URL and bypass the URL validation."
            },
            {
              "@Level": "Medium",
              "#text": "The adversary may write a script to defeat the input filtering mechanism."
            }
          ]
        },
        "Indicators": {
          "Indicator": [
            "If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.",
            "Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Availability",
              "Impact": "Resource Consumption",
              "Note": "Denial of Service"
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Refer to the RFCs to safely decode URL.",
            "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.",
            "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).",
            "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.",
            "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.",
            "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)",
            "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible."
          ]
        },
        "Example_Instances": {
          "Example": [
            {
              "xhtml:b": "URL Encodings in IceCast MP3 Server.",
              "xhtml:p": [
                "The following type of encoded string has been known traverse directories against the IceCast MP3 server9:",
                "or using",
                "The control character \"..\" can be used by an adversary to escape the document root."
              ],
              "xhtml:div": [
                {
                  "@style": "margin-left:1em;",
                  "@class": "informative",
                  "#text": "http://[targethost]:8000/somefile/%2E%2E/target.mp3"
                },
                {
                  "@style": "margin-left:1em;",
                  "@class": "informative",
                  "#text": "\"/%25%25/\" instead of \"/../\"."
                }
              ],
              "#text": "See also: CVE-2001-0784"
            },
            {
              "xhtml:b": "Cross-Site Scripting",
              "xhtml:div": [
                {
                  "@style": "margin-left:1em;",
                  "@class": "attack",
                  "xhtml:b": "URL-Encoded attack:",
                  "#text": "http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e"
                },
                {
                  "@style": "margin-left:1em;",
                  "@class": "result",
                  "xhtml:b": "HTML execution:",
                  "#text": "<script src=\"http://www.badplace.com/nasty.js\"></script>"
                }
              ],
              "xhtml:p": "[REF-495]"
            },
            {
              "xhtml:b": "SQL Injection",
              "xhtml:div": [
                {
                  "@style": "margin-left:1em;",
                  "@class": "informative",
                  "xhtml:b": "Original database query in the example file - \"login.asp\":",
                  "#text": "SQLQuery = \"SELECT preferences FROM logintable WHERE userid='\" & Request.QueryString(\"userid\") & \"' AND password='\" & Request.QueryString(\"password\") & \"';\""
                },
                {
                  "@style": "margin-left:1em;",
                  "@class": "attack",
                  "xhtml:b": "URL-encoded attack:",
                  "#text": "http://target/login.asp?userid=bob%27%3b%20update%20logintable%20set%20passwd%3d%270wn3d%27%3b--%00"
                },
                {
                  "@style": "margin-left:1em;",
                  "@class": "result",
                  "xhtml:b": "Executed database query:",
                  "#text": "SELECT preferences FROM logintable WHERE userid='bob'; update logintable set password='0wn3d';"
                }
              ],
              "xhtml:p": "From \"URL encoded attacks\", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html"
            },
            {
              "xhtml:b": "Combined Encodings CesarFTP",
              "xhtml:p": [
                "Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.",
                "An adversary could provide a URL that included a string like",
                "This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot."
              ],
              "xhtml:div": {
                "@style": "margin-left:1em;",
                "@class": "informative",
                "#text": "/...%5C/"
              },
              "#text": "See also: CVE-2001-1335"
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "173"
            },
            {
              "@CWE_ID": "177"
            },
            {
              "@CWE_ID": "172"
            },
            {
              "@CWE_ID": "73"
            },
            {
              "@CWE_ID": "74"
            },
            {
              "@CWE_ID": "20"
            }
          ]
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-1"
            },
            {
              "@External_Reference_ID": "REF-495"
            },
            {
              "@External_Reference_ID": "REF-496"
            },
            {
              "@External_Reference_ID": "REF-497"
            },
            {
              "@External_Reference_ID": "REF-498"
            },
            {
              "@External_Reference_ID": "REF-499"
            },
            {
              "@External_Reference_ID": "REF-500",
              "@Section": "5.11.4. Validating Hypertext Links (URIs/URLs)"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Example_Instances, Indicators, Mitigations"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Example_Instances, Execution_Flow, Extended_Description, Skills_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Generate a short summary:\nJSON Hijacking (aka JavaScript Hijacking)\n\nAn attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.\nThere is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.\n\n\nSummary:",
    "context": "",
    "output": "JSON Hijacking (aka JavaScript Hijacking)\n\nAn attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "JSON Hijacking (aka JavaScript Hijacking)\n\nAn attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.\nThere is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.\n",
      "Description": "JSON Hijacking (aka JavaScript Hijacking)\n\nAn attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.",
      "attack_ptrn": {
        "@ID": "111",
        "@Name": "JSON Hijacking (aka JavaScript Hijacking)",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.",
        "Extended_Description": {
          "xhtml:p": [
            "An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.",
            "There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON."
          ]
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "212",
            "Exclude_Related": {
              "@Exclude_ID": "515"
            }
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Understand How to Request JSON Responses from the Target System] An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.",
              "Technique": "An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": {
                "xhtml:p": [
                  "The attacker crafts a malicious website to which they plan to lure the victim who is using the vulnerable target system. The malicious website does two things:",
                  "This attack step leverages the fact that the same origin policy in the browser does not protect JavaScript originating from one domain from setting up an environment to intercept and access JSON objects arriving from a completely different domain."
                ],
                "xhtml:ul": {
                  "xhtml:li": [
                    "1. Contains a hook that intercepts incoming JSON objects, reads their contents and forwards the contents to the server controlled by the attacker (via a new XMLHttpRequest).",
                    "2. Uses the script tag with a URL in the source that requests a JSON object from the vulnerable target system. Once the JSON object is transmitted to the victim's browser, the malicious code (as described in step 1) intercepts that JSON object, steals its contents, and forwards to the attacker."
                  ]
                },
                "#text": "[Craft a malicious website]"
              }
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Launch JSON hijack] An attacker lures the victim to the malicious website or leverages other means to get their malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.",
              "Technique": "An attacker employs a myriad of standard techniques to get the victim to visit their malicious site or by some other means get the attackers' malicious code executing in the victim's browser."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "JSON is used as a transport mechanism between the client and the server",
            "The target server cannot differentiate real requests from forged requests",
            "The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag"
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Medium",
            "#text": "Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects."
          }
        },
        "Resources_Required": {
          "Resource": "None: No specialized resources are required to execute this type of attack."
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Read Data"
          }
        },
        "Mitigations": {
          "Mitigation": [
            "Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.",
            "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).",
            "Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.",
            "Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when they receive it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.",
              "When the JSON object with the contacts came back, it was loaded into the JavaScript space via a script tag on the attackers' malicious page. Since the JSON object was never assigned to a local variable (which would have prevented a script from a different domain accessing it due to the browser's same origin policy), another mechanism was needed to access the data that it contained. That mechanism was overwriting the internal array constructor with the attackers' own constructor in order to gain access to the JSON object's contents. These contents could then be transferred to the site controlled by the attacker."
            ]
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "345"
            },
            {
              "@CWE_ID": "346"
            },
            {
              "@CWE_ID": "352"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attacker_Skills_or_Knowledge_Required, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated @Abstraction"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Description, Example_Instances, Execution_Flow, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Execution_Flow"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What is a shorter version of this:\n\nSpoof Version Control System Commit Metadata\n\nVersion Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:\n\n\t* Owner of the repository\n\t* Author(s) of commits\n\t* Frequency of commits\n\t* Date/Time of commits\n\t* Repository activity graphs\n\nThese precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.\n\nSummary:",
    "context": "",
    "output": "Spoof Version Control System Commit Metadata\n\nAn adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.",
    "category": "CAPECFlan",
    "instruction_type": "capec_summarization_of_description",
    "parsed_raw_data": {
      "Extended_Description": "Spoof Version Control System Commit Metadata\n\nVersion Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:\n\n\t* Owner of the repository\n\t* Author(s) of commits\n\t* Frequency of commits\n\t* Date/Time of commits\n\t* Repository activity graphs\n\nThese precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.",
      "Description": "Spoof Version Control System Commit Metadata\n\nAn adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.",
      "attack_ptrn": {
        "@ID": "692",
        "@Name": "Spoof Version Control System Commit Metadata",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": {
          "xhtml:p": "An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source."
        },
        "Extended_Description": {
          "xhtml:p": [
            "Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:",
            "These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity."
          ],
          "xhtml:ul": {
            "xhtml:li": [
              "Owner of the repository",
              "Author(s) of commits",
              "Frequency of commits",
              "Date/Time of commits",
              "Repository activity graphs"
            ]
          }
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "691"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Identify target] The adversary must first identify a target repository for them to spoof. Typically, this will be a popular and widely used repository, as to increase the amount of victims a successful attack will exploit."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Create malicious repository] The adversary must create a malicious repository that imitates the legitimate repository being spoofed. This may include creating a username that closely matches the legitimate repository owner; creating a repository name that closely matches the legitimate repository name; uploading the legitimate source code; and more."
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Spoof commit metadata] Once the malicious repository has been created, the adversary must then spoof the commit metadata to make the repository appear to be frequently maintained and originating from trusted sources.",
              "Technique": [
                "Git Commit Timestamps: The adversary generates numerous fake commits while setting the \"GIT_AUTHOR_DATE\" and \"GIT_COMMITTER_DATE\" environment variables to a date which is to be spoofed.",
                "Git Commit Contributors: The adversary obtains a legitimate and trusted user's email address and then sets this information via the \"git config\" command. The adversary can then commit changes leveraging this username."
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Exploit victims] The adversary infiltrates software and/or system environments with the goal of conducting additional attacks.",
              "Technique": [
                "Active: The adversary attempts to trick victims into downloading the malicious software by means such as phishing and social engineering.",
                "Passive: The adversary waits for victims to download and leverage malicious software."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "Identification of a popular open-source repository whose metadata is to be spoofed."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Medium",
            "#text": "Ability to spoof a variety of repository metadata to convince victims the source is trusted."
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Accountability",
              "Impact": "Hide Activities"
            },
            {
              "Scope": [
                "Access Control",
                "Authorization"
              ],
              "Impact": [
                "Execute Unauthorized Commands",
                "Alter Execution Logic",
                "Gain Privileges"
              ]
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Before downloading open-source software, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.",
            "Reference vulnerability databases to determine if the software contains known vulnerabilities.",
            "Only download open-source software from reputable hosting sites or package managers.",
            "Only download open-source software that has been adequately signed by the developer(s). For repository commits/tags, look for the \"Verified\" status and for developers leveraging \"Vigilant Mode\" (GitHub) or similar modes.",
            "After downloading open-source software, ensure integrity values have not changed.",
            "Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously."
          ]
        },
        "Example_Instances": {
          "Example": "In July 2022, Checkmarx reported that GitHub commit metadata could be spoofed if unsigned commits were leveraged by the repository. Adversaries were able to spoof commit contributors, as well as the date/time of the commit. This resulted in commits appearing to originate from trusted developers and a GitHub activity graph that duped users into believing that the repository had been maintained for a significant period of time. The lack of commit metadata validation ultimately allowed adversaries to propagate malware to unsuspecting victims [REF-719] [REF-720]."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "494"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-719"
            },
            {
              "@External_Reference_ID": "REF-720"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2022-09-29"
          }
        }
      }
    }
  }
]