[
  {
    "instruction": "Provide a short description for the capec attack pattern: System Location Discovery (CAPEC ID: 694)",
    "context": "",
    "output": "Sure. Here is a description for System Location Discovery (CAPEC ID: 694): CAPEC-694: System Location Discovery\n\nAn adversary collects information about the target system in an attempt to identify the system's geographical location.\nInformation gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.\n\nThe likelihood of the attack is High.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "System Location Discovery (CAPEC ID: 694)",
      "Description": "CAPEC-694: System Location Discovery\n\nAn adversary collects information about the target system in an attempt to identify the system's geographical location.\nInformation gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.\n",
      "Likelihood_Of_Attack": "High",
      "Typical_Severity": "Very Low",
      "attack_ptrn": {
        "@ID": "694",
        "@Name": "System Location Discovery",
        "@Abstraction": "Standard",
        "@Status": "Stable",
        "Description": {
          "xhtml:p": [
            "An adversary collects information about the target system in an attempt to identify the system's geographical location.",
            "Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks."
          ]
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Very Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "169"
          }
        },
        "Execution_Flow": {
          "Attack_Step": {
            "Step": "1",
            "Phase": "Explore",
            "Description": "[System Locale Information Discovery] The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system",
            "Technique": [
              "Registry Query: Query the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\Language_Dialect on Windows to obtain system language, Computer\\HKEY_CURRENT_USER\\Keyboard Layout\\Preload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation to obtain the system timezone configuration",
              "Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings.",
              "Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font."
            ]
          }
        },
        "Prerequisites": {
          "Prerequisite": "The adversary must have some level of access to the system and have a basic understanding of the operating system in order to query the appropriate sources for relevant information."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "The adversary must know how to query various system sources of information respective of the system's operating system to obtain the relevant information."
          }
        },
        "Resources_Required": {
          "Resource": "The adversary requires access to the target's operating system tools to query relevant system information. On windows, registry queries can be conducted with powershell, wmi, or regedit. On Linux or macOS, queries can be performed with through a shell."
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Read Data"
          }
        },
        "Mitigations": {
          "Mitigation": "To reduce the amount of information gathered, one could disable various geolocation features of the operating system not required for system operation."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "497"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1614",
            "Entry_Name": "System Language Discovery"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-727"
            },
            {
              "@External_Reference_ID": "REF-728"
            },
            {
              "@External_Reference_ID": "REF-729"
            },
            {
              "@External_Reference_ID": "REF-730"
            },
            {
              "@External_Reference_ID": "REF-731"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2022-09-29"
          }
        }
      }
    }
  },
  {
    "instruction": "Describe CAPEC: Manipulating Opaque Client-based Data Tokens (CAPEC ID: 39)",
    "context": "",
    "output": "CAPEC-39: Manipulating Opaque Client-based Data Tokens\n\nIn circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.\nThe attack's typical severity is Medium.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "Manipulating Opaque Client-based Data Tokens (CAPEC ID: 39)",
      "Description": "CAPEC-39: Manipulating Opaque Client-based Data Tokens\n\nIn circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.",
      "Likelihood_Of_Attack": "High",
      "Typical_Severity": "Medium",
      "attack_ptrn": {
        "@ID": "39",
        "@Name": "Manipulating Opaque Client-based Data Tokens",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "22",
            "Exclude_Related": {
              "@Exclude_ID": "512"
            }
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Enumerate information passed to client side] The attacker identifies the parameters used as part of tokens to take business or security decisions",
              "Technique": [
                "Use WebScarab to reveal hidden fields while browsing.",
                "Use a sniffer to capture packets",
                "View source of web page to find hidden fields",
                "Examine URL to see if any opaque tokens are in it",
                "Disassemble or decompile client-side application",
                "Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc."
              ]
            },
            {
              "Step": "2",
              "Phase": "Explore",
              "Description": "[Determine protection mechanism for opaque token] The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used.",
              "Technique": [
                "Look for signs of well-known character encodings",
                "Look for cryptographic signatures",
                "Look for delimiters or other indicators of structure"
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Modify parameter/token values] Trying each parameter in turn, the attacker modifies the values",
              "Technique": [
                "Modify tokens logically",
                "Modify tokens arithmetically",
                "Modify tokens bitwise",
                "Modify structural components of tokens",
                "Modify order of parameters/tokens"
              ]
            },
            {
              "Step": "4",
              "Phase": "Experiment",
              "Description": "[Cycle through values for each parameter.] Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server",
              "Technique": [
                "Use network-level packet injection tools such as netcat",
                "Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.",
                "Use modified client (modified by reverse engineering)",
                "Use debugging tools to modify data in client"
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system.",
            "For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Medium",
              "#text": "If the client site token is obfuscated."
            },
            {
              "@Level": "High",
              "#text": "If the client site token is encrypted."
            }
          ]
        },
        "Resources_Required": {
          "Resource": "The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic \"message authentication code\" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a \"malicious\" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help.",
            "Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)",
            "Make sure that all session tokens use a good source of randomness",
            "Perform validation on the server side to make sure that client side data tokens are consistent with what is expected."
          ]
        },
        "Example_Instances": {
          "Example": [
            "With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, they proceed.",
            "Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. \"u\" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes \"u\" for \"a\" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct \"flip\" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode.",
            "Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1. See also: CVE-2006-0944"
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "353"
            },
            {
              "@CWE_ID": "285"
            },
            {
              "@CWE_ID": "302"
            },
            {
              "@CWE_ID": "472"
            },
            {
              "@CWE_ID": "565"
            },
            {
              "@CWE_ID": "315"
            },
            {
              "@CWE_ID": "539"
            },
            {
              "@CWE_ID": "384"
            },
            {
              "@CWE_ID": "233"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Tell me about attack pattern: Choosing Message Identifier (CAPEC ID: 12) ",
    "context": "",
    "output": "Attack pattern Choosing Message Identifier (CAPEC ID: 12) has likelihood of High and sevirity of High.\nCAPEC-12: Choosing Message Identifier\n\nThis pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "Choosing Message Identifier (CAPEC ID: 12)",
      "Description": "CAPEC-12: Choosing Message Identifier\n\nThis pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.",
      "Likelihood_Of_Attack": "High",
      "Typical_Severity": "High",
      "attack_ptrn": {
        "@ID": "12",
        "@Name": "Choosing Message Identifier",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "PeerOf",
              "@CAPEC_ID": "21"
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "216"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Determine Nature of Messages] Determine the nature of messages being transported as well as the identifiers to be used as part of the attack"
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Authenticate] If required, authenticate to the distribution channel"
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Identify Known Client Identifiers] If any particular client's information is available through a control channel available to all users, the adversary will discover particular identifiers for targeted clients by observing this channel, or requesting client information through this channel."
            },
            {
              "Step": "4",
              "Phase": "Experiment",
              "Description": "[Change Message Identifier] Adversaries with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.",
            "Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "All the adversary needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages."
          }
        },
        "Resources_Required": {
          "Resource": "The adversary needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            {
              "xhtml:p": [
                "Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.",
                "The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message."
              ]
            },
            "Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them."
          ]
        },
        "Example_Instances": {
          "Example": "A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single \"Partners\" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Adversaries having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows adversaries without partner status from conducting this attack."
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "201"
            },
            {
              "@CWE_ID": "306"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Description Summary"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Example_Instances, Execution_Flow, Resources_Required, Skills_Required"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2015-12-07",
            "#text": "Choosing a Message/Channel Identifier on a Public/Multicast Channel"
          }
        }
      }
    }
  },
  {
    "instruction": "Describe capec: Homograph Attack via Homoglyphs (CAPEC ID: 632)",
    "context": "",
    "output": "CAPEC-632: Homograph Attack via Homoglyphs\n\nAn adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "Homograph Attack via Homoglyphs (CAPEC ID: 632)",
      "Description": "CAPEC-632: Homograph Attack via Homoglyphs\n\nAn adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.",
      "Likelihood_Of_Attack": "Low",
      "Typical_Severity": "Medium",
      "attack_ptrn": {
        "@ID": "632",
        "@Name": "Homograph Attack via Homoglyphs",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.",
        "Alternate_Terms": {
          "Alternate_Term": {
            "Term": "Homoglyph Attack"
          }
        },
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "616",
              "Exclude_Related": [
                {
                  "@Exclude_ID": "437"
                },
                {
                  "@Exclude_ID": "512"
                },
                {
                  "@Exclude_ID": "513"
                },
                {
                  "@Exclude_ID": "515"
                }
              ]
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "89"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "543"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.",
              "Technique": "Research popular or high traffic websites."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Impersonate trusted domain] In order to impersonate the trusted domain, the adversary needs to register the URL containing the homoglpyh character(s).",
              "Technique": "Register the Homograph domain."
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Deceive user into visiting domain] Finally, the adversary needs to deceive a user into visiting the Homograph domain.",
              "Technique": "Execute a phishing attack and send a user an e-mail convincing the to click on a link leading the user to the malicious domain."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Adversaries must be able to register DNS hostnames/URL\u2019s."
          }
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Other",
            "Impact": "Other",
            "Note": "Depending on the intention of the adversary, a successful Homograph attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials."
          }
        },
        "Mitigations": {
          "Mitigation": [
            "Authenticate all servers and perform redundant checks when using DNS hostnames.",
            "Utilize browsers that can warn users if URLs contain characters from different character sets."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "An adversary sends an email, impersonating bankofamerica.com to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.",
              "However, the link the in email is bankofamerica.com, where the 'a' and 'e' characters are Cyrillic and not ASCII, instead of bankofamerica.com (all ASCII), which the user clicks after carefully reading the URL, making sure that typosquatting and soundsquatting attacks are not being leveraged against them.",
              "The user is directed to the adversary's website, which appears as if it is the legitimate bankofamerica.com login page.",
              "The user thinks they are logging into their account, but have actually just given their bankofamerica.com credentials to the adversary. The adversary can now use the user's legitimate bankofamerica.com credentials to log into the user's account and steal any money which may be in the account.",
              "Homograph vulnerability allows an adversary to impersonate a trusted domain by leveraging homoglyphs and tricking a user into visiting the malicious website to steal user credentials."
            ],
            "#text": "See also: CVE-2012-0584 CVE-2009-0652 CVE-2005-0233 CVE-2005-0234 CVE-2005-0235 CVE-2005-0236 CVE-2005-0237 CVE-2005-0238"
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "1007"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2015-11-09"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Phases"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2023-01-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Describe CAPEC: XSS Using MIME Type Mismatch (CAPEC ID: 209)",
    "context": "",
    "output": "CAPEC-209: XSS Using MIME Type Mismatch\n\nAn adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.\nThe attack's typical severity is Medium.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "XSS Using MIME Type Mismatch (CAPEC ID: 209)",
      "Description": "CAPEC-209: XSS Using MIME Type Mismatch\n\nAn adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.",
      "Typical_Severity": "Medium",
      "attack_ptrn": {
        "@ID": "209",
        "@Name": "XSS Using MIME Type Mismatch",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "592"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey the application for stored user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all areas that allow a user to upload content through an HTTP POST request. This is typically found in blogs or forums.",
              "Technique": [
                "Use a spidering tool to follow and record all links and analyze the web pages to file upload features",
                "Use a proxy tool to record all links visited during a manual traversal of the web application.",
                "Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Probe identified potential entry points for MIME type mismatch] The adversary uses the entry points gathered in the \"Explore\" phase as a target list and uploads files with scripting content, but whose MIME type is specified as a file type that cannot execute scripting content. If the application only checks the MIME type of the file, it may let the file through, causing the script to be executed by any user who accesses the file.",
              "Technique": "Upload a script file with a MIME type of text/plain to a forum and then access the uploaded file to see if the script is executed. If possible, the script displays a unique identifier so the adversary knows for certain it was executed when testing."
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Store malicious XSS content] Once the adversary has determined which file upload locations are vulnerable to MIME type mismatch, they will upload a malicious script disguised as a non scripting file. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.",
              "Technique": "Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks."
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Get victim to view stored content] In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.",
              "Technique": [
                "Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.",
                "Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.",
            "The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content."
          ]
        },
        "Resources_Required": {
          "Resource": "The adversary must have the ability to source the file of the incorrect MIME type containing a script."
        },
        "Example_Instances": {
          "Example": [
            "For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked.",
            "In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "79"
            },
            {
              "@CWE_ID": "20"
            },
            {
              "@CWE_ID": "646"
            }
          ]
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-78",
            "@Section": "Testing for Stored Cross site scripting (OWASP-DV-002)"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Activation_Zone, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_Weaknesses, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Execution_Flow"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2017-05-01",
            "#text": "Cross-Site Scripting Using MIME Type Mismatch"
          }
        }
      }
    }
  },
  {
    "instruction": "Can you please describe the capec attack pattern: IP Address Blocking (CAPEC ID: 590)?",
    "context": "",
    "output": "CAPEC-590: IP Address Blocking\n\nAn adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.\nThis attacks' likelihood is Low, and its typical severity is High.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "IP Address Blocking (CAPEC ID: 590)",
      "Description": "CAPEC-590: IP Address Blocking\n\nAn adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.",
      "Likelihood_Of_Attack": "Low",
      "Typical_Severity": "High",
      "attack_ptrn": {
        "@ID": "590",
        "@Name": "IP Address Blocking",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.",
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "603",
            "Exclude_Related": {
              "@Exclude_ID": "514"
            }
          }
        },
        "Prerequisites": {
          "Prerequisite": "This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection."
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Availability",
            "Impact": "Other",
            "Note": "Blocking packets intended for a target IP address denies its availability to the user."
          }
        },
        "Mitigations": {
          "Mitigation": "Have a large pool of backup IPs built into the application and support proxy capability in the application."
        },
        "Example_Instances": {
          "Example": "Consider situations of information censorship for political purposes, where regimes that prevent access to specific web services."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "300"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-475"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "Seamus Tuohy",
            "Submission_Date": "2017-01-12"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Related_Vulnerabilities"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns, Related_Weaknesses"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Describe CAPEC: Schema Poisoning (CAPEC ID: 271)",
    "context": "",
    "output": "CAPEC-271: Schema Poisoning\n\nAn adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.\nThe attack's typical severity is High.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "Schema Poisoning (CAPEC ID: 271)",
      "Description": "CAPEC-271: Schema Poisoning\n\nAn adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.",
      "Likelihood_Of_Attack": "Low",
      "Typical_Severity": "High",
      "attack_ptrn": {
        "@ID": "271",
        "@Name": "Schema Poisoning",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.",
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "176",
              "Exclude_Related": [
                {
                  "@Exclude_ID": "437"
                },
                {
                  "@Exclude_ID": "515"
                }
              ]
            },
            {
              "@Nature": "CanFollow",
              "@CAPEC_ID": "94"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Find target application and schema] The adversary first finds the application that they want to target. This application must use schemas in some way, so the adversary also needs to confirm that schemas are being used.",
              "Technique": [
                "Gain access to the system that the application is on and look for a schema.",
                "Observe HTTP traffic to the application and look for a schema being transmitted."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Gain access to schema] The adversary gains access to the schema so that they can modify the contents.",
              "Technique": [
                "For a local scenario, the adversary needs access to the machine that the schema is located on and gain permissions to alter the contents of the schema file.",
                "For a remote scenario, the adversary needs to be able to perform an adversary in the middle attack on the HTTP traffic that contains a schema."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Poison schema] Once the adversary gains access to the schema, they will alter it to achieve a desired effect. Locally, they can just modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.",
              "Technique": [
                "Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing.",
                "Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field.",
                "Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B)."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "Some level of access to modify the target schema.",
            "The schema used by the target application must be improperly secured against unauthorized modification and manipulation."
          ]
        },
        "Resources_Required": {
          "Resource": "Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Availability",
              "Impact": [
                "Unreliable Execution",
                "Resource Consumption"
              ],
              "Note": "A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources."
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Design: Protect the schema against unauthorized modification.",
            "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the schema document.",
            "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification."
          ]
        },
        "Example_Instances": {
          "Example": [
            {
              "xhtml:p": [
                "In a JSON Schema Poisoning Attack, an adervary modifies the JSON schema to cause a Denial of Service (DOS) or to submit malicious input:",
                "If the 'name' attribute is required in all submitted documents and this field is removed by the adversary, the application may enter an unexpected state or record incomplete data. Additionally, if this data is needed to perform additional functions, a Denial of Service (DOS) may occur."
              ],
              "xhtml:div": {
                "@style": "margin-left:1em;",
                "@class": "attack",
                "#text": "{ \"title\": \"Contact\", \"type\": \"object\", \"properties\": { \"Name\": { \"type\": \"string\" }, \"Phone\": { \"type\": \"string\" }, \"Email\": { \"type\": \"string\" }, \"Address\": { \"type\": \"string\" } }, \"required\": [\"Name\", \"Phone\", \"Email\", \"Address\"] }"
              }
            },
            {
              "xhtml:p": [
                "In a Database Schema Poisoning Attack, an adversary alters the database schema being used to modify the database in some way. This can result in loss of data, DOS, or malicious input being submitted. Assuming there is a column named \"name\", an adversary could make the following schema change:",
                "The \"Name\" field of the \"Conteacts\" table now allows the storing of names up to 65353 characters in length. This could allow the adversary to store excess data within the database to consume system resource or to execute a DOS."
              ],
              "xhtml:div": {
                "@style": "margin-left:1em;",
                "@class": "attack",
                "#text": "ALTER TABLE Contacts MODIFY Name VARCHAR(65353);"
              }
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "15"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Description, Description Summary, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Examples-Instances, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-10-21",
              "Modification_Comment": "Updated Execution_Flow, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2023-01-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What is attack pattern - Hardware Component Substitution During Baselining (CAPEC ID: 516) ",
    "context": "",
    "output": "CAPEC-516: Hardware Component Substitution During Baselining\n\nAn adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "Hardware Component Substitution During Baselining (CAPEC ID: 516)",
      "Description": "CAPEC-516: Hardware Component Substitution During Baselining\n\nAn adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.",
      "Likelihood_Of_Attack": "Low",
      "Typical_Severity": "High",
      "attack_ptrn": {
        "@ID": "516",
        "@Name": "Hardware Component Substitution During Baselining",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.",
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "444",
            "Exclude_Related": [
              {
                "@Exclude_ID": "513"
              },
              {
                "@Exclude_ID": "688"
              }
            ]
          }
        },
        "Prerequisites": {
          "Prerequisite": "The adversary will need either physical access or be able to supply malicious hardware components to the product development facility."
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Medium",
              "#text": "Intelligence data on victim's purchasing habits."
            },
            {
              "@Level": "High",
              "#text": "Resources to maliciously construct/alter hardware components used for testing by the supplier."
            },
            {
              "@Level": "High",
              "#text": "Resources to physically infiltrate supplier."
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.",
            "Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device."
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1195.003",
            "Entry_Name": "Supply Chain Compromise: Compromise Hardware Supply Chain"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-439"
            },
            {
              "@External_Reference_ID": "REF-712"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Example_Instances, Mitigations, Prerequisites, References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Related_Attack_Patterns, Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Provide a short description for the capec attack pattern: TCP Timestamp Probe (CAPEC ID: 320)",
    "context": "",
    "output": "Sure. Here is a description for TCP Timestamp Probe (CAPEC ID: 320): CAPEC-320: TCP Timestamp Probe\n\nThis OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.\nThe likelihood of the attack is Medium.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "TCP Timestamp Probe (CAPEC ID: 320)",
      "Description": "CAPEC-320: TCP Timestamp Probe\n\nThis OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.",
      "Likelihood_Of_Attack": "Medium",
      "Typical_Severity": "Low",
      "attack_ptrn": {
        "@ID": "320",
        "@Name": "TCP Timestamp Probe",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": "This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.",
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "312"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Determine if timestamps are present.] The adversary sends a probe packet to the remote host to identify if timestamps are present."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Record and analyze timestamp values.] If the remote host is using timestamp, obtain several timestamps, analyze them and compare them to known values.",
              "Technique": [
                "The adversary sends several requests and records the timestamp values.",
                "The adversary analyzes the timestamp values and determines an average increments per second in the timestamps for the target.",
                "The adversary compares this result to a database of known TCP timestamp increments for a possible match."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.The target OS must support the TCP timestamp option in order to obtain a fingerprint."
        },
        "Resources_Required": {
          "Resource": {
            "xhtml:p": [
              "Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.",
              "A tool capable of sending and receiving packets from a remote system."
            ]
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Bypass Protection Mechanism"
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "200"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-33",
              "@Section": "Chapter 2: Scanning, pg. 56"
            },
            {
              "@External_Reference_ID": "REF-128"
            },
            {
              "@External_Reference_ID": "REF-212",
              "@Section": "Chapter 8. Remote OS Detection"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Phases, Description, Description Summary, Related_Weaknesses"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Describe CAPEC: Port Scanning (CAPEC ID: 300)",
    "context": "",
    "output": "CAPEC-300: Port Scanning\n\nAn adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.\nThe attack's typical severity is Low.",
    "category": "CAPECFlan",
    "instruction_type": "capec_description",
    "parsed_raw_data": {
      "@Name": "Port Scanning (CAPEC ID: 300)",
      "Description": "CAPEC-300: Port Scanning\n\nAn adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.",
      "Typical_Severity": "Low",
      "attack_ptrn": {
        "@ID": "300",
        "@Name": "Port Scanning",
        "@Abstraction": "Standard",
        "@Status": "Stable",
        "Description": "An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.",
        "Extended_Description": {
          "xhtml:p": [
            "Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the adversary information concerning the firewall configuration.",
            "Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four port statuses that this type of attack aims to identify: open, closed, filtered, and unfiltered. For strategic purposes it is useful for an adversary to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is requires certain scan types. Collecting this type of information tells the adversary which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An adversary often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host."
          ]
        },
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "169"
          }
        },
        "Prerequisites": {
          "Prerequisite": "The adversary requires logical access to the target's network in order to carry out this type of attack."
        },
        "Resources_Required": {
          "Resource": "The adversary requires a network mapping/scanning tool, or must conduct socket programming on the command line. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Other"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": [
                "Bypass Protection Mechanism",
                "Hide Activities"
              ]
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "200"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1046",
            "Entry_Name": "Network Service Scanning"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-33",
              "@Section": "Chapter 2: Scanning, pg. 54"
            },
            {
              "@External_Reference_ID": "REF-128"
            },
            {
              "@External_Reference_ID": "REF-158"
            },
            {
              "@External_Reference_ID": "REF-34",
              "@Section": "Section 4.1 Introduction to Port Scanning, pg. 73"
            },
            {
              "@External_Reference_ID": "REF-130"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "#text": "There are four types of port status that this type of attack aims to identify: 1) Open Port: The port is open and a firewall does not block access to the port, 2) Closed Port: The port is closed (i.e. no service resides there) and a firewall does not block access to the port, 3) Filtered Port: A firewall or ACL rule is blocking access to the port in some manner, although the presence of a listening service on the port cannot be verified, and 4) Unfiltered Port: A firewall or ACL rule is not blocking access to the port, although the presence of a listening service on the port cannot be verified."
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Prerequisites, Description, Description Summary, References, Related_Weaknesses, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Description, Notes"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  }
]