-
Notifications
You must be signed in to change notification settings - Fork 4
/
capec_mitigation_temp.json
1 lines (1 loc) · 352 KB
/
capec_mitigation_temp.json
1
[{"_key":"capec_mitigation_00000","_id":"capec_mitigation/capec_mitigation_00000","_rev":"_dVfOKc2---","original_id":"1","name":"Accessing Functionality Not Properly Constrained by ACLs","metadata":"\n In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.\n Having done so, any direct access to those protected Servlets will be prohibited by the web container.\n In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00001","_id":"capec_mitigation/capec_mitigation_00001","_rev":"_dVfOKc2--_","original_id":"2","name":"Inducing Account Lockout","metadata":"Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00002","_id":"capec_mitigation/capec_mitigation_00002","_rev":"_dVfOKc2--A","original_id":"2","name":"Inducing Account Lockout","metadata":"When implementing security features, consider how they can be misused and made to turn on themselves.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00003","_id":"capec_mitigation/capec_mitigation_00003","_rev":"_dVfOKc2--B","original_id":"3","name":"Using Leading 'Ghost' Character Sequences to Bypass Input Filters","metadata":"Use an allowlist rather than a denylist input validation.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00004","_id":"capec_mitigation/capec_mitigation_00004","_rev":"_dVfOKc2--C","original_id":"3","name":"Using Leading 'Ghost' Character Sequences to Bypass Input Filters","metadata":"Canonicalize all data prior to validation.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00005","_id":"capec_mitigation/capec_mitigation_00005","_rev":"_dVfOKc2--D","original_id":"3","name":"Using Leading 'Ghost' Character Sequences to Bypass Input Filters","metadata":"Take an iterative approach to input validation (defense in depth).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00006","_id":"capec_mitigation/capec_mitigation_00006","_rev":"_dVfOKc2--E","original_id":"4","name":"Using Alternative IP Address Encodings","metadata":"Design: Default deny access control policies","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00007","_id":"capec_mitigation/capec_mitigation_00007","_rev":"_dVfOKc2--F","original_id":"4","name":"Using Alternative IP Address Encodings","metadata":"Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00008","_id":"capec_mitigation/capec_mitigation_00008","_rev":"_dVfOKc2--G","original_id":"4","name":"Using Alternative IP Address Encodings","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00009","_id":"capec_mitigation/capec_mitigation_00009","_rev":"_dVfOKc2--H","original_id":"5","name":"Blue Boxing","metadata":"Implementation: Upgrade phone lines. Note this may be prohibitively expensive","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00010","_id":"capec_mitigation/capec_mitigation_00010","_rev":"_dVfOKc2--I","original_id":"5","name":"Blue Boxing","metadata":"Use strong access control such as two factor access control for administrative access to the switch","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00011","_id":"capec_mitigation/capec_mitigation_00011","_rev":"_dVfOKc2--J","original_id":"6","name":"Argument Injection","metadata":"Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00012","_id":"capec_mitigation/capec_mitigation_00012","_rev":"_dVfOKc2--K","original_id":"6","name":"Argument Injection","metadata":"Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00013","_id":"capec_mitigation/capec_mitigation_00013","_rev":"_dVfOKc2--L","original_id":"6","name":"Argument Injection","metadata":"Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00014","_id":"capec_mitigation/capec_mitigation_00014","_rev":"_dVfOKc2--M","original_id":"7","name":"Blind SQL Injection","metadata":"Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00015","_id":"capec_mitigation/capec_mitigation_00015","_rev":"_dVfOKc2--N","original_id":"7","name":"Blind SQL Injection","metadata":"Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00017","_id":"capec_mitigation/capec_mitigation_00017","_rev":"_dVfOKc2--O","original_id":"8","name":"Buffer Overflow in an API Call","metadata":"Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00018","_id":"capec_mitigation/capec_mitigation_00018","_rev":"_dVfOKc2--P","original_id":"8","name":"Buffer Overflow in an API Call","metadata":"Use secure functions not vulnerable to buffer overflow.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00019","_id":"capec_mitigation/capec_mitigation_00019","_rev":"_dVfOKc2--Q","original_id":"8","name":"Buffer Overflow in an API Call","metadata":"If you have to use dangerous functions, make sure that you do boundary checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00020","_id":"capec_mitigation/capec_mitigation_00020","_rev":"_dVfOKc2--R","original_id":"8","name":"Buffer Overflow in an API Call","metadata":"Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00021","_id":"capec_mitigation/capec_mitigation_00021","_rev":"_dVfOKc2--S","original_id":"8","name":"Buffer Overflow in an API Call","metadata":"Use OS-level preventative functionality. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00022","_id":"capec_mitigation/capec_mitigation_00022","_rev":"_dVfOKc2--T","original_id":"9","name":"Buffer Overflow in Local Command-Line Utilities","metadata":"Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00023","_id":"capec_mitigation/capec_mitigation_00023","_rev":"_dVfOKc2--U","original_id":"9","name":"Buffer Overflow in Local Command-Line Utilities","metadata":"Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00024","_id":"capec_mitigation/capec_mitigation_00024","_rev":"_dVfOKc2--V","original_id":"9","name":"Buffer Overflow in Local Command-Line Utilities","metadata":"Use an abstraction library to abstract away risky APIs. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00025","_id":"capec_mitigation/capec_mitigation_00025","_rev":"_dVfOKc2--W","original_id":"9","name":"Buffer Overflow in Local Command-Line Utilities","metadata":"Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00026","_id":"capec_mitigation/capec_mitigation_00026","_rev":"_dVfOKc2--X","original_id":"9","name":"Buffer Overflow in Local Command-Line Utilities","metadata":"Operational: Use OS-level preventative functionality. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00027","_id":"capec_mitigation/capec_mitigation_00027","_rev":"_dVfOKc2--Y","original_id":"9","name":"Buffer Overflow in Local Command-Line Utilities","metadata":"Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00028","_id":"capec_mitigation/capec_mitigation_00028","_rev":"_dVfOKc2--Z","original_id":"9","name":"Buffer Overflow in Local Command-Line Utilities","metadata":"Do not unnecessarily expose services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00029","_id":"capec_mitigation/capec_mitigation_00029","_rev":"_dVfOKc2--a","original_id":"10","name":"Buffer Overflow via Environment Variables","metadata":"Do not expose environment variable to the user.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00030","_id":"capec_mitigation/capec_mitigation_00030","_rev":"_dVfOKc2--b","original_id":"10","name":"Buffer Overflow via Environment Variables","metadata":"Do not use untrusted data in your environment variables.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00031","_id":"capec_mitigation/capec_mitigation_00031","_rev":"_dVfOKc2--c","original_id":"10","name":"Buffer Overflow via Environment Variables","metadata":"Use a language or compiler that performs automatic bounds checking","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00032","_id":"capec_mitigation/capec_mitigation_00032","_rev":"_dVfOKc2--d","original_id":"10","name":"Buffer Overflow via Environment Variables","metadata":"There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00034","_id":"capec_mitigation/capec_mitigation_00034","_rev":"_dVfOKc2--e","original_id":"11","name":"Cause Web Server Misclassification","metadata":"Implementation: Server routines should be determined by content not determined by filename or file extension.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00035","_id":"capec_mitigation/capec_mitigation_00035","_rev":"_dVfOKc2--f","original_id":"12","name":"Choosing Message Identifier","metadata":"\n Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.\n The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00036","_id":"capec_mitigation/capec_mitigation_00036","_rev":"_dVfOKc2--g","original_id":"12","name":"Choosing Message Identifier","metadata":"Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00037","_id":"capec_mitigation/capec_mitigation_00037","_rev":"_dVfOKc2--h","original_id":"13","name":"Subverting Environment Variable Values","metadata":"Protect environment variables against unauthorized read and write access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00038","_id":"capec_mitigation/capec_mitigation_00038","_rev":"_dVfOKc2--i","original_id":"13","name":"Subverting Environment Variable Values","metadata":"Protect the configuration files which contain environment variables against illegitimate read and write access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00039","_id":"capec_mitigation/capec_mitigation_00039","_rev":"_dVfOKc2--j","original_id":"13","name":"Subverting Environment Variable Values","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00040","_id":"capec_mitigation/capec_mitigation_00040","_rev":"_dVfOKc2--k","original_id":"13","name":"Subverting Environment Variable Values","metadata":"Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00041","_id":"capec_mitigation/capec_mitigation_00041","_rev":"_dVfOKc2--l","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"The client software should not install untrusted code from a non-authenticated server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00042","_id":"capec_mitigation/capec_mitigation_00042","_rev":"_dVfOKc2--m","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00043","_id":"capec_mitigation/capec_mitigation_00043","_rev":"_dVfOKc2--n","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"Perform input validation for length of buffer inputs.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00044","_id":"capec_mitigation/capec_mitigation_00044","_rev":"_dVfOKc2--o","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00045","_id":"capec_mitigation/capec_mitigation_00045","_rev":"_dVfOKc2--p","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"Use an abstraction library to abstract away risky APIs. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00046","_id":"capec_mitigation/capec_mitigation_00046","_rev":"_dVfOKc2--q","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00047","_id":"capec_mitigation/capec_mitigation_00047","_rev":"_dVfOKc2--r","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"Ensure all buffer uses are consistently bounds-checked.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00048","_id":"capec_mitigation/capec_mitigation_00048","_rev":"_dVfOKc2--s","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"Use OS-level preventative functionality. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00050","_id":"capec_mitigation/capec_mitigation_00050","_rev":"_dVfOKc2--t","original_id":"15","name":"Command Delimiters","metadata":"Design: Perform allowlist validation against a positive specification for command length, type, and parameters.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00051","_id":"capec_mitigation/capec_mitigation_00051","_rev":"_dVfOKc2--u","original_id":"15","name":"Command Delimiters","metadata":"Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00052","_id":"capec_mitigation/capec_mitigation_00052","_rev":"_dVfOKc2--v","original_id":"15","name":"Command Delimiters","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00053","_id":"capec_mitigation/capec_mitigation_00053","_rev":"_dVfOKc2--w","original_id":"15","name":"Command Delimiters","metadata":"Implementation: Use type conversions such as JDBC prepared statements.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00054","_id":"capec_mitigation/capec_mitigation_00054","_rev":"_dVfOKc2--x","original_id":"16","name":"Dictionary-based Password Attack","metadata":"Create a strong password policy and ensure that your system enforces this policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00055","_id":"capec_mitigation/capec_mitigation_00055","_rev":"_dVfOKc2--y","original_id":"16","name":"Dictionary-based Password Attack","metadata":"Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00056","_id":"capec_mitigation/capec_mitigation_00056","_rev":"_dVfOKc2--z","original_id":"16","name":"Dictionary-based Password Attack","metadata":"Leverage multi-factor authentication for all authentication services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00058","_id":"capec_mitigation/capec_mitigation_00058","_rev":"_dVfOKc2--0","original_id":"17","name":"Using Malicious Files","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00059","_id":"capec_mitigation/capec_mitigation_00059","_rev":"_dVfOKc2--1","original_id":"17","name":"Using Malicious Files","metadata":"Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00060","_id":"capec_mitigation/capec_mitigation_00060","_rev":"_dVfOKc2--2","original_id":"17","name":"Using Malicious Files","metadata":"Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00061","_id":"capec_mitigation/capec_mitigation_00061","_rev":"_dVfOKc2--3","original_id":"18","name":"XSS Targeting Non-Script Elements","metadata":"In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00062","_id":"capec_mitigation/capec_mitigation_00062","_rev":"_dVfOKc2--4","original_id":"18","name":"XSS Targeting Non-Script Elements","metadata":"All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00063","_id":"capec_mitigation/capec_mitigation_00063","_rev":"_dVfOKc6---","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00064","_id":"capec_mitigation/capec_mitigation_00064","_rev":"_dVfOKc6--_","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Utilize strict type, character, and encoding enforcement.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00065","_id":"capec_mitigation/capec_mitigation_00065","_rev":"_dVfOKc6--A","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Server side developers should not proxy content via XHR or other means. If a HTTP proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00066","_id":"capec_mitigation/capec_mitigation_00066","_rev":"_dVfOKc6--B","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00067","_id":"capec_mitigation/capec_mitigation_00067","_rev":"_dVfOKc6--C","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00068","_id":"capec_mitigation/capec_mitigation_00068","_rev":"_dVfOKc6--D","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00069","_id":"capec_mitigation/capec_mitigation_00069","_rev":"_dVfOKc6--E","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Disable scripting languages such as JavaScript in browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00070","_id":"capec_mitigation/capec_mitigation_00070","_rev":"_dVfOKc6--F","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Session tokens for specific host","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00071","_id":"capec_mitigation/capec_mitigation_00071","_rev":"_dVfOKc6--G","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00072","_id":"capec_mitigation/capec_mitigation_00072","_rev":"_dVfOKc6--H","original_id":"19","name":"Embedding Scripts within Scripts","metadata":"Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00073","_id":"capec_mitigation/capec_mitigation_00073","_rev":"_dVfOKc6--I","original_id":"20","name":"Encryption Brute Forcing","metadata":"Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00074","_id":"capec_mitigation/capec_mitigation_00074","_rev":"_dVfOKc6--J","original_id":"20","name":"Encryption Brute Forcing","metadata":"In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00076","_id":"capec_mitigation/capec_mitigation_00076","_rev":"_dVfOKc6--K","original_id":"21","name":"Exploitation of Trusted Identifiers","metadata":"Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00077","_id":"capec_mitigation/capec_mitigation_00077","_rev":"_dVfOKc6--L","original_id":"21","name":"Exploitation of Trusted Identifiers","metadata":"Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00078","_id":"capec_mitigation/capec_mitigation_00078","_rev":"_dVfOKc6--M","original_id":"21","name":"Exploitation of Trusted Identifiers","metadata":"Implementation: If the identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00079","_id":"capec_mitigation/capec_mitigation_00079","_rev":"_dVfOKc6--N","original_id":"21","name":"Exploitation of Trusted Identifiers","metadata":"Implementation: If the web or application server supports it, then encrypting and/or signing the identifier (such as cookie) can protect the ID if intercepted.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00080","_id":"capec_mitigation/capec_mitigation_00080","_rev":"_dVfOKc6--O","original_id":"21","name":"Exploitation of Trusted Identifiers","metadata":"Design: Use strong session identifiers that are protected in transit and at rest.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00081","_id":"capec_mitigation/capec_mitigation_00081","_rev":"_dVfOKc6--P","original_id":"21","name":"Exploitation of Trusted Identifiers","metadata":"Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00082","_id":"capec_mitigation/capec_mitigation_00082","_rev":"_dVfOKc6--Q","original_id":"21","name":"Exploitation of Trusted Identifiers","metadata":"Implementation: Verify authenticity of all identifiers at runtime.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00083","_id":"capec_mitigation/capec_mitigation_00083","_rev":"_dVfOKc6--R","original_id":"22","name":"Exploiting Trust in Client","metadata":"Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00084","_id":"capec_mitigation/capec_mitigation_00084","_rev":"_dVfOKc6--S","original_id":"22","name":"Exploiting Trust in Client","metadata":"Design: Do not rely on client validation or encoding for security purposes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00085","_id":"capec_mitigation/capec_mitigation_00085","_rev":"_dVfOKc6--T","original_id":"22","name":"Exploiting Trust in Client","metadata":"Design: Utilize digital signatures to increase authentication assurance.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00086","_id":"capec_mitigation/capec_mitigation_00086","_rev":"_dVfOKc6--U","original_id":"22","name":"Exploiting Trust in Client","metadata":"Design: Utilize two factor authentication to increase authentication assurance.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00087","_id":"capec_mitigation/capec_mitigation_00087","_rev":"_dVfOKc6--V","original_id":"22","name":"Exploiting Trust in Client","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00088","_id":"capec_mitigation/capec_mitigation_00088","_rev":"_dVfOKc6--W","original_id":"23","name":"File Content Injection","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00089","_id":"capec_mitigation/capec_mitigation_00089","_rev":"_dVfOKc6--X","original_id":"23","name":"File Content Injection","metadata":"Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00090","_id":"capec_mitigation/capec_mitigation_00090","_rev":"_dVfOKc6--Y","original_id":"23","name":"File Content Injection","metadata":"Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00091","_id":"capec_mitigation/capec_mitigation_00091","_rev":"_dVfOKc6--Z","original_id":"23","name":"File Content Injection","metadata":"Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00092","_id":"capec_mitigation/capec_mitigation_00092","_rev":"_dVfOKc6--a","original_id":"23","name":"File Content Injection","metadata":"Implementation: Virus scanning on host","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00093","_id":"capec_mitigation/capec_mitigation_00093","_rev":"_dVfOKc6--b","original_id":"23","name":"File Content Injection","metadata":"Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00094","_id":"capec_mitigation/capec_mitigation_00094","_rev":"_dVfOKc6--c","original_id":"24","name":"Filter Failure through Buffer Overflow","metadata":"Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00095","_id":"capec_mitigation/capec_mitigation_00095","_rev":"_dVfOKc6--d","original_id":"24","name":"Filter Failure through Buffer Overflow","metadata":"Pre-design: Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00096","_id":"capec_mitigation/capec_mitigation_00096","_rev":"_dVfOKc6--e","original_id":"24","name":"Filter Failure through Buffer Overflow","metadata":"Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00097","_id":"capec_mitigation/capec_mitigation_00097","_rev":"_dVfOKc6--f","original_id":"24","name":"Filter Failure through Buffer Overflow","metadata":"Operational: Use OS-level preventative functionality. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00098","_id":"capec_mitigation/capec_mitigation_00098","_rev":"_dVfOKc6--g","original_id":"24","name":"Filter Failure through Buffer Overflow","metadata":"Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00100","_id":"capec_mitigation/capec_mitigation_00100","_rev":"_dVfOKc6--h","original_id":"25","name":"Forced Deadlock","metadata":"Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00101","_id":"capec_mitigation/capec_mitigation_00101","_rev":"_dVfOKc6--i","original_id":"25","name":"Forced Deadlock","metadata":"For competing actions, use well-known libraries which implement synchronization.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00102","_id":"capec_mitigation/capec_mitigation_00102","_rev":"_dVfOKc6--j","original_id":"26","name":"Leveraging Race Conditions","metadata":"Use safe libraries to access resources such as files.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00103","_id":"capec_mitigation/capec_mitigation_00103","_rev":"_dVfOKc6--k","original_id":"26","name":"Leveraging Race Conditions","metadata":"Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00104","_id":"capec_mitigation/capec_mitigation_00104","_rev":"_dVfOKc6--l","original_id":"26","name":"Leveraging Race Conditions","metadata":"Use synchronization to control the flow of execution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00105","_id":"capec_mitigation/capec_mitigation_00105","_rev":"_dVfOKc6--m","original_id":"26","name":"Leveraging Race Conditions","metadata":"Use static analysis tools to find race conditions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00106","_id":"capec_mitigation/capec_mitigation_00106","_rev":"_dVfOKc6--n","original_id":"26","name":"Leveraging Race Conditions","metadata":"Pay attention to concurrency problems related to the access of resources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00107","_id":"capec_mitigation/capec_mitigation_00107","_rev":"_dVfOKc6--o","original_id":"27","name":"Leveraging Race Conditions via Symbolic Links","metadata":"Use safe libraries when creating temporary files. For instance the standard library function mkstemp can be used to safely create temporary files. For shell scripts, the system utility mktemp does the same thing.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00108","_id":"capec_mitigation/capec_mitigation_00108","_rev":"_dVfOKc6--p","original_id":"27","name":"Leveraging Race Conditions via Symbolic Links","metadata":"Access to the directories should be restricted as to prevent attackers from manipulating the files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00109","_id":"capec_mitigation/capec_mitigation_00109","_rev":"_dVfOKc6--q","original_id":"27","name":"Leveraging Race Conditions via Symbolic Links","metadata":"Follow the principle of least privilege when assigning access rights to files.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00110","_id":"capec_mitigation/capec_mitigation_00110","_rev":"_dVfOKc6--r","original_id":"27","name":"Leveraging Race Conditions via Symbolic Links","metadata":"Ensure good compartmentalization in the system to provide protected areas that can be trusted.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00111","_id":"capec_mitigation/capec_mitigation_00111","_rev":"_dVfOKc6--s","original_id":"28","name":"Fuzzing","metadata":"Test to ensure that the software behaves as per specification and that there are no unintended side effects. Ensure that no assumptions about the validity of data are made.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00112","_id":"capec_mitigation/capec_mitigation_00112","_rev":"_dVfOKc6--t","original_id":"28","name":"Fuzzing","metadata":"Use fuzz testing during the software QA process to uncover any surprises, uncover any assumptions or unexpected behavior.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00114","_id":"capec_mitigation/capec_mitigation_00114","_rev":"_dVfOKc6--u","original_id":"29","name":"Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions","metadata":"Use safe libraries to access resources such as files.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00115","_id":"capec_mitigation/capec_mitigation_00115","_rev":"_dVfOKc6--v","original_id":"29","name":"Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions","metadata":"Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00116","_id":"capec_mitigation/capec_mitigation_00116","_rev":"_dVfOKc6--w","original_id":"29","name":"Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions","metadata":"Use synchronization to control the flow of execution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00117","_id":"capec_mitigation/capec_mitigation_00117","_rev":"_dVfOKc6--x","original_id":"29","name":"Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions","metadata":"Use static analysis tools to find race conditions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00118","_id":"capec_mitigation/capec_mitigation_00118","_rev":"_dVfOKc6--y","original_id":"29","name":"Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions","metadata":"Pay attention to concurrency problems related to the access of resources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00119","_id":"capec_mitigation/capec_mitigation_00119","_rev":"_dVfOKc6--z","original_id":"30","name":"Hijacking a Privileged Thread of Execution","metadata":"Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00120","_id":"capec_mitigation/capec_mitigation_00120","_rev":"_dVfOKc6--0","original_id":"30","name":"Hijacking a Privileged Thread of Execution","metadata":"Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00121","_id":"capec_mitigation/capec_mitigation_00121","_rev":"_dVfOKc6--1","original_id":"31","name":"Accessing/Intercepting/Modifying HTTP Cookies","metadata":"Design: Use input validation for cookies","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00122","_id":"capec_mitigation/capec_mitigation_00122","_rev":"_dVfOKc6--2","original_id":"31","name":"Accessing/Intercepting/Modifying HTTP Cookies","metadata":"Design: Generate and validate MAC for cookies","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00123","_id":"capec_mitigation/capec_mitigation_00123","_rev":"_dVfOKc6--3","original_id":"31","name":"Accessing/Intercepting/Modifying HTTP Cookies","metadata":"Implementation: Use SSL/TLS to protect cookie in transit","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00124","_id":"capec_mitigation/capec_mitigation_00124","_rev":"_dVfOKc6--4","original_id":"31","name":"Accessing/Intercepting/Modifying HTTP Cookies","metadata":"Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00125","_id":"capec_mitigation/capec_mitigation_00125","_rev":"_dVfOKc6--5","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00126","_id":"capec_mitigation/capec_mitigation_00126","_rev":"_dVfOKc6--6","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Design: Utilize strict type, character, and encoding enforcement","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00127","_id":"capec_mitigation/capec_mitigation_00127","_rev":"_dVfOKc6--7","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00128","_id":"capec_mitigation/capec_mitigation_00128","_rev":"_dVfOKc6--8","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00129","_id":"capec_mitigation/capec_mitigation_00129","_rev":"_dVfOKc6--9","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Implementation: Perform input validation for all remote content, including remote and user-generated content","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00130","_id":"capec_mitigation/capec_mitigation_00130","_rev":"_dVfOKc6-_-","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Implementation: Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00131","_id":"capec_mitigation/capec_mitigation_00131","_rev":"_dVfOKc6-__","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Implementation: Disable scripting languages such as JavaScript in browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00132","_id":"capec_mitigation/capec_mitigation_00132","_rev":"_dVfOKc6-_A","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Implementation: Session tokens for specific host","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00133","_id":"capec_mitigation/capec_mitigation_00133","_rev":"_dVfOKc6-_B","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00134","_id":"capec_mitigation/capec_mitigation_00134","_rev":"_dVfOKc6-_C","original_id":"32","name":"XSS Through HTTP Query Strings","metadata":"Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00135","_id":"capec_mitigation/capec_mitigation_00135","_rev":"_dVfOKc6-_D","original_id":"33","name":"HTTP Request Smuggling","metadata":"Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00136","_id":"capec_mitigation/capec_mitigation_00136","_rev":"_dVfOKc6-_E","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: front-end HTTP agents notice ambiguous requests.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00137","_id":"capec_mitigation/capec_mitigation_00137","_rev":"_dVfOKc6-_F","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00138","_id":"capec_mitigation/capec_mitigation_00138","_rev":"_dVfOKc6-_G","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Disable reuse of back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00139","_id":"capec_mitigation/capec_mitigation_00139","_rev":"_dVfOKc6-_H","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Use HTTP/2 for back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00140","_id":"capec_mitigation/capec_mitigation_00140","_rev":"_dVfOKc6-_I","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Use the same web server software for front-end and back-end server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00141","_id":"capec_mitigation/capec_mitigation_00141","_rev":"_dVfOKc6-_J","original_id":"33","name":"HTTP Request Smuggling","metadata":"Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00142","_id":"capec_mitigation/capec_mitigation_00142","_rev":"_dVfOKc6-_K","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00143","_id":"capec_mitigation/capec_mitigation_00143","_rev":"_dVfOKc6-_L","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00144","_id":"capec_mitigation/capec_mitigation_00144","_rev":"_dVfOKc6-_M","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:\n Headers with no space before the value “chunked”\n Headers with extra spaces\n Headers beginning with trailing characters\n Headers providing a value “chunk” instead of “chunked” (the server normalizes this as chunked encoding)\n Headers with multiple spaces before the value “chunked”\n Headers with quoted values (whether single or double quotations)\n Headers with CRLF characters before the value “chunked”\n Values with invalid characters\n \n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00145","_id":"capec_mitigation/capec_mitigation_00145","_rev":"_dVfOKc6-_N","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00146","_id":"capec_mitigation/capec_mitigation_00146","_rev":"_dVfOKc6-_O","original_id":"33","name":"HTTP Request Smuggling","metadata":"Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00147","_id":"capec_mitigation/capec_mitigation_00147","_rev":"_dVfOKc6-_P","original_id":"33","name":"HTTP Request Smuggling","metadata":"Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00149","_id":"capec_mitigation/capec_mitigation_00149","_rev":"_dVfOKd----","original_id":"34","name":"HTTP Response Splitting","metadata":"Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00150","_id":"capec_mitigation/capec_mitigation_00150","_rev":"_dVfOKd---_","original_id":"34","name":"HTTP Response Splitting","metadata":"Configuration: front-end HTTP agents notice ambiguous requests.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00151","_id":"capec_mitigation/capec_mitigation_00151","_rev":"_dVfOKd---A","original_id":"34","name":"HTTP Response Splitting","metadata":"Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00152","_id":"capec_mitigation/capec_mitigation_00152","_rev":"_dVfOKd---B","original_id":"34","name":"HTTP Response Splitting","metadata":"Configuration: Disable reuse of back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00153","_id":"capec_mitigation/capec_mitigation_00153","_rev":"_dVfOKd---C","original_id":"34","name":"HTTP Response Splitting","metadata":"Configuration: Use HTTP/2 for back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00154","_id":"capec_mitigation/capec_mitigation_00154","_rev":"_dVfOKd---D","original_id":"34","name":"HTTP Response Splitting","metadata":"Configuration: Use the same web server software for front-end and back-end server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00155","_id":"capec_mitigation/capec_mitigation_00155","_rev":"_dVfOKd---E","original_id":"34","name":"HTTP Response Splitting","metadata":"Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00156","_id":"capec_mitigation/capec_mitigation_00156","_rev":"_dVfOKd---F","original_id":"34","name":"HTTP Response Splitting","metadata":"Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00157","_id":"capec_mitigation/capec_mitigation_00157","_rev":"_dVfOKd---G","original_id":"34","name":"HTTP Response Splitting","metadata":"Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00158","_id":"capec_mitigation/capec_mitigation_00158","_rev":"_dVfOKd---H","original_id":"34","name":"HTTP Response Splitting","metadata":"Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00160","_id":"capec_mitigation/capec_mitigation_00160","_rev":"_dVfOKd---I","original_id":"35","name":"Leverage Executable Code in Non-Executable Files","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00161","_id":"capec_mitigation/capec_mitigation_00161","_rev":"_dVfOKd---J","original_id":"35","name":"Leverage Executable Code in Non-Executable Files","metadata":"Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00162","_id":"capec_mitigation/capec_mitigation_00162","_rev":"_dVfOKd---K","original_id":"35","name":"Leverage Executable Code in Non-Executable Files","metadata":"Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00163","_id":"capec_mitigation/capec_mitigation_00163","_rev":"_dVfOKd---L","original_id":"35","name":"Leverage Executable Code in Non-Executable Files","metadata":"Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00164","_id":"capec_mitigation/capec_mitigation_00164","_rev":"_dVfOKd---M","original_id":"35","name":"Leverage Executable Code in Non-Executable Files","metadata":"Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00165","_id":"capec_mitigation/capec_mitigation_00165","_rev":"_dVfOKd---N","original_id":"36","name":"Using Unpublished Interfaces","metadata":"Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00166","_id":"capec_mitigation/capec_mitigation_00166","_rev":"_dVfOKd---O","original_id":"38","name":"Leveraging/Manipulating Configuration File Search Paths","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00167","_id":"capec_mitigation/capec_mitigation_00167","_rev":"_dVfOKd---P","original_id":"38","name":"Leveraging/Manipulating Configuration File Search Paths","metadata":"Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00168","_id":"capec_mitigation/capec_mitigation_00168","_rev":"_dVfOKd---Q","original_id":"38","name":"Leveraging/Manipulating Configuration File Search Paths","metadata":"Implementation: Host integrity monitoring","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00169","_id":"capec_mitigation/capec_mitigation_00169","_rev":"_dVfOKd---R","original_id":"39","name":"Manipulating Opaque Client-based Data Tokens","metadata":"One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic \"message authentication code\" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a \"malicious\" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00170","_id":"capec_mitigation/capec_mitigation_00170","_rev":"_dVfOKd---S","original_id":"39","name":"Manipulating Opaque Client-based Data Tokens","metadata":"Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00171","_id":"capec_mitigation/capec_mitigation_00171","_rev":"_dVfOKd---T","original_id":"39","name":"Manipulating Opaque Client-based Data Tokens","metadata":"Make sure that all session tokens use a good source of randomness","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00172","_id":"capec_mitigation/capec_mitigation_00172","_rev":"_dVfOKd---U","original_id":"39","name":"Manipulating Opaque Client-based Data Tokens","metadata":"Perform validation on the server side to make sure that client side data tokens are consistent with what is expected.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00173","_id":"capec_mitigation/capec_mitigation_00173","_rev":"_dVfOKd---V","original_id":"40","name":"Manipulating Writeable Terminal Devices","metadata":"Design: Ensure that terminals are only writeable by named owner user and/or administrator","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00174","_id":"capec_mitigation/capec_mitigation_00174","_rev":"_dVfOKd---W","original_id":"40","name":"Manipulating Writeable Terminal Devices","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00175","_id":"capec_mitigation/capec_mitigation_00175","_rev":"_dVfOKd---X","original_id":"41","name":"Using Meta-characters in E-mail Headers to Inject Malicious Payloads","metadata":"Design: Perform validation on email header data","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00176","_id":"capec_mitigation/capec_mitigation_00176","_rev":"_dVfOKd---Y","original_id":"41","name":"Using Meta-characters in E-mail Headers to Inject Malicious Payloads","metadata":"Implementation: Implement email filtering solutions on mail server or on MTA, relay server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00177","_id":"capec_mitigation/capec_mitigation_00177","_rev":"_dVfOKd---Z","original_id":"41","name":"Using Meta-characters in E-mail Headers to Inject Malicious Payloads","metadata":"Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00178","_id":"capec_mitigation/capec_mitigation_00178","_rev":"_dVfOKd---a","original_id":"42","name":"MIME Conversion","metadata":"Stay up to date with third party vendor patches","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00179","_id":"capec_mitigation/capec_mitigation_00179","_rev":"_dVfOKd---b","original_id":"42","name":"MIME Conversion","metadata":"\n Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.\n For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):\n Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,T=DNS/RFC822/X-Unix,A=mail -d $u\n Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,D=$z:/,T=X-Unix,A=sh -c $u\n \n This can be achieved for the \"Mlocal\" and \"Mprog\" Mailers by modifying the \".mc\" file to include the following lines:\n define(`LOCAL_MAILER_FLAGS',ifdef(`LOCAL_MAILER_FLAGS',`translit(LOCAL_MAILER_FLAGS, `9')',`rmn'))\n \n define(`LOCAL_SHELL_FLAGS',ifdef(`LOCAL_SHELL_FLAGS',`translit(LOCAL_SHELL_FLAGS, `9')',`eu'))\n \n \n and then rebuilding the sendmail.cf file using m4(1).\n From \"Exploiting Software\", please see reference below.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00180","_id":"capec_mitigation/capec_mitigation_00180","_rev":"_dVfOKd---c","original_id":"42","name":"MIME Conversion","metadata":"Use the sendmail restricted shell program (smrsh)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00181","_id":"capec_mitigation/capec_mitigation_00181","_rev":"_dVfOKd---d","original_id":"42","name":"MIME Conversion","metadata":"Use mail.local","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00182","_id":"capec_mitigation/capec_mitigation_00182","_rev":"_dVfOKd---e","original_id":"43","name":"Exploiting Multiple Input Interpretation Layers","metadata":"An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00183","_id":"capec_mitigation/capec_mitigation_00183","_rev":"_dVfOKd---f","original_id":"43","name":"Exploiting Multiple Input Interpretation Layers","metadata":"Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00184","_id":"capec_mitigation/capec_mitigation_00184","_rev":"_dVfOKd---g","original_id":"43","name":"Exploiting Multiple Input Interpretation Layers","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist would not be permitted to enter into the system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00186","_id":"capec_mitigation/capec_mitigation_00186","_rev":"_dVfOKd---h","original_id":"44","name":"Overflow Binary Resource File","metadata":"Perform appropriate bounds checking on all buffers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00187","_id":"capec_mitigation/capec_mitigation_00187","_rev":"_dVfOKd---i","original_id":"44","name":"Overflow Binary Resource File","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00188","_id":"capec_mitigation/capec_mitigation_00188","_rev":"_dVfOKd---j","original_id":"44","name":"Overflow Binary Resource File","metadata":"Design: Static code analysis","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00189","_id":"capec_mitigation/capec_mitigation_00189","_rev":"_dVfOKd---k","original_id":"44","name":"Overflow Binary Resource File","metadata":"Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00190","_id":"capec_mitigation/capec_mitigation_00190","_rev":"_dVfOKd---l","original_id":"44","name":"Overflow Binary Resource File","metadata":"Implementation: Keep software patched to ensure that known vulnerabilities are not available for attackers to target on host.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00191","_id":"capec_mitigation/capec_mitigation_00191","_rev":"_dVfOKd---m","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00192","_id":"capec_mitigation/capec_mitigation_00192","_rev":"_dVfOKd---n","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Because Symlink can be modified by an attacker, make sure that the ones you read are located in protected directories.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00193","_id":"capec_mitigation/capec_mitigation_00193","_rev":"_dVfOKd---o","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Pay attention to the resource pointed to by your symlink links (See attack pattern named \"Forced Symlink race\"), they can be replaced by malicious resources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00194","_id":"capec_mitigation/capec_mitigation_00194","_rev":"_dVfOKd---p","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Always check the size of the input data before copying to a buffer.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00195","_id":"capec_mitigation/capec_mitigation_00195","_rev":"_dVfOKd---q","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00196","_id":"capec_mitigation/capec_mitigation_00196","_rev":"_dVfOKd---r","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Use an abstraction library to abstract away risky APIs. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00197","_id":"capec_mitigation/capec_mitigation_00197","_rev":"_dVfOKd---s","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00198","_id":"capec_mitigation/capec_mitigation_00198","_rev":"_dVfOKd---t","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"Use OS-level preventative functionality. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00201","_id":"capec_mitigation/capec_mitigation_00201","_rev":"_dVfOKd---u","original_id":"46","name":"Overflow Variables and Tags","metadata":"Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00202","_id":"capec_mitigation/capec_mitigation_00202","_rev":"_dVfOKd---v","original_id":"46","name":"Overflow Variables and Tags","metadata":"Use an abstraction library to abstract away risky APIs. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00203","_id":"capec_mitigation/capec_mitigation_00203","_rev":"_dVfOKd---w","original_id":"46","name":"Overflow Variables and Tags","metadata":"Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00204","_id":"capec_mitigation/capec_mitigation_00204","_rev":"_dVfOKd---x","original_id":"46","name":"Overflow Variables and Tags","metadata":"Use OS-level preventative functionality. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00205","_id":"capec_mitigation/capec_mitigation_00205","_rev":"_dVfOKd---y","original_id":"46","name":"Overflow Variables and Tags","metadata":"Do not trust input data from user. Validate all user input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00206","_id":"capec_mitigation/capec_mitigation_00206","_rev":"_dVfOKd---z","original_id":"47","name":"Buffer Overflow via Parameter Expansion","metadata":"Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00207","_id":"capec_mitigation/capec_mitigation_00207","_rev":"_dVfOKd---0","original_id":"48","name":"Passing Local Filenames to Functions That Expect a URL","metadata":"Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00208","_id":"capec_mitigation/capec_mitigation_00208","_rev":"_dVfOKd---1","original_id":"48","name":"Passing Local Filenames to Functions That Expect a URL","metadata":"Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00209","_id":"capec_mitigation/capec_mitigation_00209","_rev":"_dVfOKd---2","original_id":"48","name":"Passing Local Filenames to Functions That Expect a URL","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00210","_id":"capec_mitigation/capec_mitigation_00210","_rev":"_dVfOKd---3","original_id":"48","name":"Passing Local Filenames to Functions That Expect a URL","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00211","_id":"capec_mitigation/capec_mitigation_00211","_rev":"_dVfOKd---4","original_id":"48","name":"Passing Local Filenames to Functions That Expect a URL","metadata":"Implementation: Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00212","_id":"capec_mitigation/capec_mitigation_00212","_rev":"_dVfOKdC---","original_id":"48","name":"Passing Local Filenames to Functions That Expect a URL","metadata":"Implementation: Disable scripting languages such as JavaScript in browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00213","_id":"capec_mitigation/capec_mitigation_00213","_rev":"_dVfOKdC--_","original_id":"49","name":"Password Brute Forcing","metadata":"Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00214","_id":"capec_mitigation/capec_mitigation_00214","_rev":"_dVfOKdC--A","original_id":"49","name":"Password Brute Forcing","metadata":"Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00215","_id":"capec_mitigation/capec_mitigation_00215","_rev":"_dVfOKdC--B","original_id":"49","name":"Password Brute Forcing","metadata":"Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00217","_id":"capec_mitigation/capec_mitigation_00217","_rev":"_dVfOKdC--C","original_id":"50","name":"Password Recovery Exploitation","metadata":"Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00218","_id":"capec_mitigation/capec_mitigation_00218","_rev":"_dVfOKdC--D","original_id":"50","name":"Password Recovery Exploitation","metadata":"E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00219","_id":"capec_mitigation/capec_mitigation_00219","_rev":"_dVfOKdC--E","original_id":"50","name":"Password Recovery Exploitation","metadata":"Ensure that your password recovery functionality is not vulnerable to an injection style attack.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00221","_id":"capec_mitigation/capec_mitigation_00221","_rev":"_dVfOKdC--F","original_id":"51","name":"Poison Web Service Registry","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00222","_id":"capec_mitigation/capec_mitigation_00222","_rev":"_dVfOKdC--G","original_id":"51","name":"Poison Web Service Registry","metadata":"Design: Harden registry server and file access permissions","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00223","_id":"capec_mitigation/capec_mitigation_00223","_rev":"_dVfOKdC--H","original_id":"51","name":"Poison Web Service Registry","metadata":"Implementation: Implement communications to and from the registry using secure protocols","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00224","_id":"capec_mitigation/capec_mitigation_00224","_rev":"_dVfOKdC--I","original_id":"52","name":"Embedding NULL Bytes","metadata":"Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00225","_id":"capec_mitigation/capec_mitigation_00225","_rev":"_dVfOKdC--J","original_id":"53","name":"Postfix, Null Terminate, and Backslash","metadata":"Properly handle Null characters. Make sure canonicalization is properly applied. Do not pass Null characters to the underlying APIs.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00226","_id":"capec_mitigation/capec_mitigation_00226","_rev":"_dVfOKdC--K","original_id":"53","name":"Postfix, Null Terminate, and Backslash","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00228","_id":"capec_mitigation/capec_mitigation_00228","_rev":"_dVfOKdC--L","original_id":"54","name":"Query System for Information","metadata":"Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00229","_id":"capec_mitigation/capec_mitigation_00229","_rev":"_dVfOKdC--M","original_id":"54","name":"Query System for Information","metadata":"Application designers can wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00231","_id":"capec_mitigation/capec_mitigation_00231","_rev":"_dVfOKdC--N","original_id":"55","name":"Rainbow Table Password Cracking","metadata":"Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00233","_id":"capec_mitigation/capec_mitigation_00233","_rev":"_dVfOKdC--O","original_id":"57","name":"Utilizing REST's Trust in the System Resource to Obtain Sensitive Data","metadata":"Implementation: Implement message level security such as HMAC in the HTTP communication","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00234","_id":"capec_mitigation/capec_mitigation_00234","_rev":"_dVfOKdC--P","original_id":"57","name":"Utilizing REST's Trust in the System Resource to Obtain Sensitive Data","metadata":"Design: Utilize defense in depth, do not rely on a single security mechanism like SSL","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00235","_id":"capec_mitigation/capec_mitigation_00235","_rev":"_dVfOKdC--Q","original_id":"57","name":"Utilizing REST's Trust in the System Resource to Obtain Sensitive Data","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00236","_id":"capec_mitigation/capec_mitigation_00236","_rev":"_dVfOKdC--R","original_id":"58","name":"Restful Privilege Elevation","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00237","_id":"capec_mitigation/capec_mitigation_00237","_rev":"_dVfOKdC--S","original_id":"58","name":"Restful Privilege Elevation","metadata":"Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00238","_id":"capec_mitigation/capec_mitigation_00238","_rev":"_dVfOKdC--T","original_id":"58","name":"Restful Privilege Elevation","metadata":"Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00239","_id":"capec_mitigation/capec_mitigation_00239","_rev":"_dVfOKdC--U","original_id":"59","name":"Session Credential Falsification through Prediction","metadata":"Use a strong source of randomness to generate a session ID.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00240","_id":"capec_mitigation/capec_mitigation_00240","_rev":"_dVfOKdC--V","original_id":"59","name":"Session Credential Falsification through Prediction","metadata":"Use adequate length session IDs","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00241","_id":"capec_mitigation/capec_mitigation_00241","_rev":"_dVfOKdC--W","original_id":"59","name":"Session Credential Falsification through Prediction","metadata":"Do not use information available to the user in order to generate session ID (e.g., time).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00242","_id":"capec_mitigation/capec_mitigation_00242","_rev":"_dVfOKdC--X","original_id":"59","name":"Session Credential Falsification through Prediction","metadata":"Ideas for creating random numbers are offered by Eastlake [RFC1750]","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00243","_id":"capec_mitigation/capec_mitigation_00243","_rev":"_dVfOKdC--Y","original_id":"59","name":"Session Credential Falsification through Prediction","metadata":"Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00244","_id":"capec_mitigation/capec_mitigation_00244","_rev":"_dVfOKdC--Z","original_id":"60","name":"Reusing Session IDs (aka Session Replay)","metadata":"Always invalidate a session ID after the user logout.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00245","_id":"capec_mitigation/capec_mitigation_00245","_rev":"_dVfOKdC--a","original_id":"60","name":"Reusing Session IDs (aka Session Replay)","metadata":"Setup a session time out for the session IDs.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00246","_id":"capec_mitigation/capec_mitigation_00246","_rev":"_dVfOKdC--b","original_id":"60","name":"Reusing Session IDs (aka Session Replay)","metadata":"Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00247","_id":"capec_mitigation/capec_mitigation_00247","_rev":"_dVfOKdC--c","original_id":"60","name":"Reusing Session IDs (aka Session Replay)","metadata":"Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00248","_id":"capec_mitigation/capec_mitigation_00248","_rev":"_dVfOKdC--d","original_id":"60","name":"Reusing Session IDs (aka Session Replay)","metadata":"Encrypt the session data associated with the session ID.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00249","_id":"capec_mitigation/capec_mitigation_00249","_rev":"_dVfOKdC--e","original_id":"60","name":"Reusing Session IDs (aka Session Replay)","metadata":"Use multifactor authentication.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00250","_id":"capec_mitigation/capec_mitigation_00250","_rev":"_dVfOKdC--f","original_id":"61","name":"Session Fixation","metadata":"Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00251","_id":"capec_mitigation/capec_mitigation_00251","_rev":"_dVfOKdC--g","original_id":"61","name":"Session Fixation","metadata":"Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00252","_id":"capec_mitigation/capec_mitigation_00252","_rev":"_dVfOKdC--h","original_id":"61","name":"Session Fixation","metadata":"Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00255","_id":"capec_mitigation/capec_mitigation_00255","_rev":"_dVfOKdC--i","original_id":"62","name":"Cross Site Request Forgery","metadata":"Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00256","_id":"capec_mitigation/capec_mitigation_00256","_rev":"_dVfOKdC--j","original_id":"62","name":"Cross Site Request Forgery","metadata":"Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00257","_id":"capec_mitigation/capec_mitigation_00257","_rev":"_dVfOKdC--k","original_id":"62","name":"Cross Site Request Forgery","metadata":"Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00258","_id":"capec_mitigation/capec_mitigation_00258","_rev":"_dVfOKdC--l","original_id":"62","name":"Cross Site Request Forgery","metadata":"In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00259","_id":"capec_mitigation/capec_mitigation_00259","_rev":"_dVfOKdC--m","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00260","_id":"capec_mitigation/capec_mitigation_00260","_rev":"_dVfOKdC--n","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Design: Utilize strict type, character, and encoding enforcement","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00261","_id":"capec_mitigation/capec_mitigation_00261","_rev":"_dVfOKdC--o","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00262","_id":"capec_mitigation/capec_mitigation_00262","_rev":"_dVfOKdC--p","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00263","_id":"capec_mitigation/capec_mitigation_00263","_rev":"_dVfOKdC--q","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00264","_id":"capec_mitigation/capec_mitigation_00264","_rev":"_dVfOKdC--r","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Implementation: Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00265","_id":"capec_mitigation/capec_mitigation_00265","_rev":"_dVfOKdC--s","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Implementation: Session tokens for specific host","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00266","_id":"capec_mitigation/capec_mitigation_00266","_rev":"_dVfOKdC--t","original_id":"63","name":"Cross-Site Scripting (XSS)","metadata":"Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00267","_id":"capec_mitigation/capec_mitigation_00267","_rev":"_dVfOKdC--u","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00268","_id":"capec_mitigation/capec_mitigation_00268","_rev":"_dVfOKdC--v","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00269","_id":"capec_mitigation/capec_mitigation_00269","_rev":"_dVfOKdC--w","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00270","_id":"capec_mitigation/capec_mitigation_00270","_rev":"_dVfOKdC--x","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00271","_id":"capec_mitigation/capec_mitigation_00271","_rev":"_dVfOKdC--y","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"Refer to the RFCs to safely decode URL.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00272","_id":"capec_mitigation/capec_mitigation_00272","_rev":"_dVfOKdC--z","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00273","_id":"capec_mitigation/capec_mitigation_00273","_rev":"_dVfOKdC--0","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00276","_id":"capec_mitigation/capec_mitigation_00276","_rev":"_dVfOKdC--1","original_id":"65","name":"Sniff Application Code","metadata":"Design: Encrypt all communication between the client and server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00277","_id":"capec_mitigation/capec_mitigation_00277","_rev":"_dVfOKdC--2","original_id":"65","name":"Sniff Application Code","metadata":"Implementation: Use SSL, SSH, SCP.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00278","_id":"capec_mitigation/capec_mitigation_00278","_rev":"_dVfOKdC--3","original_id":"65","name":"Sniff Application Code","metadata":"Operation: Use \"ifconfig/ipconfig\" or other tools to detect the sniffer installed in the network.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00279","_id":"capec_mitigation/capec_mitigation_00279","_rev":"_dVfOKdC--4","original_id":"66","name":"SQL Injection","metadata":"Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00280","_id":"capec_mitigation/capec_mitigation_00280","_rev":"_dVfOKdC--5","original_id":"66","name":"SQL Injection","metadata":"Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00281","_id":"capec_mitigation/capec_mitigation_00281","_rev":"_dVfOKdC--6","original_id":"66","name":"SQL Injection","metadata":"Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00283","_id":"capec_mitigation/capec_mitigation_00283","_rev":"_dVfOKdC--7","original_id":"67","name":"String Format Overflow in syslog()","metadata":"\n The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():\n syslog(LOG_ERR, \"%s\", cmdBuf);\n The following code shows a vulnerable usage of Syslog():\n syslog(LOG_ERR, cmdBuf);\n // the buffer cmdBuff is taking user supplied data.\n \n \n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00284","_id":"capec_mitigation/capec_mitigation_00284","_rev":"_dVfOKdC--8","original_id":"68","name":"Subvert Code-signing Facilities","metadata":"A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00285","_id":"capec_mitigation/capec_mitigation_00285","_rev":"_dVfOKdC--9","original_id":"68","name":"Subvert Code-signing Facilities","metadata":"If an attacker cannot attack the scheme directly, they might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00286","_id":"capec_mitigation/capec_mitigation_00286","_rev":"_dVfOKdC-_-","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Apply the principle of least privilege.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00287","_id":"capec_mitigation/capec_mitigation_00287","_rev":"_dVfOKdC-__","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Validate all untrusted data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00288","_id":"capec_mitigation/capec_mitigation_00288","_rev":"_dVfOKdC-_A","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Apply the latest patches.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00289","_id":"capec_mitigation/capec_mitigation_00289","_rev":"_dVfOKdC-_B","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00290","_id":"capec_mitigation/capec_mitigation_00290","_rev":"_dVfOKdC-_C","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Avoid revealing information about your system (e.g., version of the program) to anonymous users.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00291","_id":"capec_mitigation/capec_mitigation_00291","_rev":"_dVfOKdC-_D","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00292","_id":"capec_mitigation/capec_mitigation_00292","_rev":"_dVfOKdC-_E","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00293","_id":"capec_mitigation/capec_mitigation_00293","_rev":"_dVfOKdC-_F","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00294","_id":"capec_mitigation/capec_mitigation_00294","_rev":"_dVfOKdC-_G","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Monitor traffic and resource usage and pay attention if resource exhaustion occurs.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00295","_id":"capec_mitigation/capec_mitigation_00295","_rev":"_dVfOKdC-_H","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"Protect your log file from unauthorized modification and log forging.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00297","_id":"capec_mitigation/capec_mitigation_00297","_rev":"_dVfOKdC-_I","original_id":"70","name":"Try Common or Default Usernames and Passwords","metadata":"Delete all default account credentials that may be put in by the product vendor.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00298","_id":"capec_mitigation/capec_mitigation_00298","_rev":"_dVfOKdC-_J","original_id":"70","name":"Try Common or Default Usernames and Passwords","metadata":"Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00299","_id":"capec_mitigation/capec_mitigation_00299","_rev":"_dVfOKdC-_K","original_id":"70","name":"Try Common or Default Usernames and Passwords","metadata":"Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00300","_id":"capec_mitigation/capec_mitigation_00300","_rev":"_dVfOKdC-_L","original_id":"70","name":"Try Common or Default Usernames and Passwords","metadata":"Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00302","_id":"capec_mitigation/capec_mitigation_00302","_rev":"_dVfOKdC-_M","original_id":"71","name":"Using Unicode Encoding to Bypass Validation Logic","metadata":"Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00303","_id":"capec_mitigation/capec_mitigation_00303","_rev":"_dVfOKdG---","original_id":"71","name":"Using Unicode Encoding to Bypass Validation Logic","metadata":"Ensure that filtering or input validation is applied to canonical data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00304","_id":"capec_mitigation/capec_mitigation_00304","_rev":"_dVfOKdG--_","original_id":"71","name":"Using Unicode Encoding to Bypass Validation Logic","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00306","_id":"capec_mitigation/capec_mitigation_00306","_rev":"_dVfOKdG--A","original_id":"72","name":"URL Encoding","metadata":"Refer to the RFCs to safely decode URL.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00307","_id":"capec_mitigation/capec_mitigation_00307","_rev":"_dVfOKdG--B","original_id":"72","name":"URL Encoding","metadata":"Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00308","_id":"capec_mitigation/capec_mitigation_00308","_rev":"_dVfOKdG--C","original_id":"72","name":"URL Encoding","metadata":"There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00309","_id":"capec_mitigation/capec_mitigation_00309","_rev":"_dVfOKdG--D","original_id":"72","name":"URL Encoding","metadata":"Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00310","_id":"capec_mitigation/capec_mitigation_00310","_rev":"_dVfOKdG--E","original_id":"72","name":"URL Encoding","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00311","_id":"capec_mitigation/capec_mitigation_00311","_rev":"_dVfOKdG--F","original_id":"72","name":"URL Encoding","metadata":"Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00312","_id":"capec_mitigation/capec_mitigation_00312","_rev":"_dVfOKdG--G","original_id":"72","name":"URL Encoding","metadata":"When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00315","_id":"capec_mitigation/capec_mitigation_00315","_rev":"_dVfOKdG--H","original_id":"73","name":"User-Controlled Filename","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00316","_id":"capec_mitigation/capec_mitigation_00316","_rev":"_dVfOKdG--I","original_id":"73","name":"User-Controlled Filename","metadata":"Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00317","_id":"capec_mitigation/capec_mitigation_00317","_rev":"_dVfOKdG--J","original_id":"73","name":"User-Controlled Filename","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00318","_id":"capec_mitigation/capec_mitigation_00318","_rev":"_dVfOKdG--K","original_id":"73","name":"User-Controlled Filename","metadata":"Implementation: Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00319","_id":"capec_mitigation/capec_mitigation_00319","_rev":"_dVfOKdG--L","original_id":"73","name":"User-Controlled Filename","metadata":"Implementation: Disable scripting languages such as JavaScript in browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00320","_id":"capec_mitigation/capec_mitigation_00320","_rev":"_dVfOKdG--M","original_id":"73","name":"User-Controlled Filename","metadata":"Implementation: Scan dynamically generated content against validation specification","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00321","_id":"capec_mitigation/capec_mitigation_00321","_rev":"_dVfOKdG--N","original_id":"74","name":"Manipulating State","metadata":"Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00322","_id":"capec_mitigation/capec_mitigation_00322","_rev":"_dVfOKdG--O","original_id":"74","name":"Manipulating State","metadata":"Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00323","_id":"capec_mitigation/capec_mitigation_00323","_rev":"_dVfOKdG--P","original_id":"74","name":"Manipulating State","metadata":"Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00324","_id":"capec_mitigation/capec_mitigation_00324","_rev":"_dVfOKdG--Q","original_id":"74","name":"Manipulating State","metadata":"All possible states must be handled by hardware finite state machines.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00325","_id":"capec_mitigation/capec_mitigation_00325","_rev":"_dVfOKdG--R","original_id":"75","name":"Manipulating Writeable Configuration Files","metadata":"Design: Enforce principle of least privilege","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00326","_id":"capec_mitigation/capec_mitigation_00326","_rev":"_dVfOKdG--S","original_id":"75","name":"Manipulating Writeable Configuration Files","metadata":"Design: Backup copies of all configuration files","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00327","_id":"capec_mitigation/capec_mitigation_00327","_rev":"_dVfOKdG--T","original_id":"75","name":"Manipulating Writeable Configuration Files","metadata":"Implementation: Integrity monitoring for configuration files","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00328","_id":"capec_mitigation/capec_mitigation_00328","_rev":"_dVfOKdG--U","original_id":"75","name":"Manipulating Writeable Configuration Files","metadata":"Implementation: Enforce audit logging on code and configuration promotion procedures.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00329","_id":"capec_mitigation/capec_mitigation_00329","_rev":"_dVfOKdG--V","original_id":"75","name":"Manipulating Writeable Configuration Files","metadata":"Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00330","_id":"capec_mitigation/capec_mitigation_00330","_rev":"_dVfOKdG--W","original_id":"76","name":"Manipulating Web Input to File System Calls","metadata":"Design: Enforce principle of least privilege.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00331","_id":"capec_mitigation/capec_mitigation_00331","_rev":"_dVfOKdG--X","original_id":"76","name":"Manipulating Web Input to File System Calls","metadata":"Design: Ensure all input is validated, and does not contain file system commands","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00332","_id":"capec_mitigation/capec_mitigation_00332","_rev":"_dVfOKdG--Y","original_id":"76","name":"Manipulating Web Input to File System Calls","metadata":"Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00333","_id":"capec_mitigation/capec_mitigation_00333","_rev":"_dVfOKdG--Z","original_id":"76","name":"Manipulating Web Input to File System Calls","metadata":"Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00334","_id":"capec_mitigation/capec_mitigation_00334","_rev":"_dVfOKdG--a","original_id":"76","name":"Manipulating Web Input to File System Calls","metadata":"Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00335","_id":"capec_mitigation/capec_mitigation_00335","_rev":"_dVfOKdG--b","original_id":"77","name":"Manipulating User-Controlled Variables","metadata":"\n Do not allow override of global variables and do Not Trust Global Variables.\n If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00336","_id":"capec_mitigation/capec_mitigation_00336","_rev":"_dVfOKdG--c","original_id":"77","name":"Manipulating User-Controlled Variables","metadata":"A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00337","_id":"capec_mitigation/capec_mitigation_00337","_rev":"_dVfOKdG--d","original_id":"77","name":"Manipulating User-Controlled Variables","metadata":"Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00338","_id":"capec_mitigation/capec_mitigation_00338","_rev":"_dVfOKdG--e","original_id":"77","name":"Manipulating User-Controlled Variables","metadata":"Use encapsulation when declaring your variables. This is to lower the exposure of your variables.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00339","_id":"capec_mitigation/capec_mitigation_00339","_rev":"_dVfOKdG--f","original_id":"77","name":"Manipulating User-Controlled Variables","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should be rejected by the program.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00341","_id":"capec_mitigation/capec_mitigation_00341","_rev":"_dVfOKdG--g","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"Verify that the user-supplied data does not use backslash character to escape malicious characters.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00342","_id":"capec_mitigation/capec_mitigation_00342","_rev":"_dVfOKdG--h","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00343","_id":"capec_mitigation/capec_mitigation_00343","_rev":"_dVfOKdG--i","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"Be aware of the threat of alternative method of data encoding.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00344","_id":"capec_mitigation/capec_mitigation_00344","_rev":"_dVfOKdG--j","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00345","_id":"capec_mitigation/capec_mitigation_00345","_rev":"_dVfOKdG--k","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00346","_id":"capec_mitigation/capec_mitigation_00346","_rev":"_dVfOKdG--l","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00347","_id":"capec_mitigation/capec_mitigation_00347","_rev":"_dVfOKdG--m","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00349","_id":"capec_mitigation/capec_mitigation_00349","_rev":"_dVfOKdG--n","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00350","_id":"capec_mitigation/capec_mitigation_00350","_rev":"_dVfOKdG--o","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00351","_id":"capec_mitigation/capec_mitigation_00351","_rev":"_dVfOKdG--p","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00352","_id":"capec_mitigation/capec_mitigation_00352","_rev":"_dVfOKdG--q","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00353","_id":"capec_mitigation/capec_mitigation_00353","_rev":"_dVfOKdG--r","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"Test your path decoding process against malicious input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00354","_id":"capec_mitigation/capec_mitigation_00354","_rev":"_dVfOKdG--s","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00355","_id":"capec_mitigation/capec_mitigation_00355","_rev":"_dVfOKdG--t","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the application based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00359","_id":"capec_mitigation/capec_mitigation_00359","_rev":"_dVfOKdG--u","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"The Unicode Consortium recognized multiple representations to be a problem and has revised the Unicode Standard to make multiple representations of the same code point with UTF-8 illegal. The UTF-8 Corrigendum lists the newly restricted UTF-8 range (See references). Many current applications may not have been revised to follow this rule. Verify that your application conform to the latest UTF-8 encoding specification. Pay extra attention to the filtering of illegal characters.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00360","_id":"capec_mitigation/capec_mitigation_00360","_rev":"_dVfOKdG--v","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"\n The exact response required from an UTF-8 decoder on invalid input is not uniformly defined by the standards. In general, there are several ways a UTF-8 decoder might behave in the event of an invalid byte sequence:\n \n \n 1. Insert a replacement character (e.g. '?', '').\n 2. Ignore the bytes.\n 3. Interpret the bytes according to a different character encoding (often the ISO-8859-1 character map).\n 4. Not notice and decode as if the bytes were some similar bit of UTF-8.\n 5. Stop decoding and report an error (possibly giving the caller the option to continue).\n \n \n It is possible for a decoder to behave in different ways for different types of invalid input.\n RFC 3629 only requires that UTF-8 decoders must not decode \"overlong sequences\" (where a character is encoded in more bytes than needed but still adheres to the forms above). The Unicode Standard requires a Unicode-compliant decoder to \"...treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence.\"\n Overlong forms are one of the most troublesome types of UTF-8 data. The current RFC says they must not be decoded but older specifications for UTF-8 only gave a warning and many simpler decoders will happily decode them. Overlong forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done.\n To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.\n Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00361","_id":"capec_mitigation/capec_mitigation_00361","_rev":"_dVfOKdG--w","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. If you use a parser to decode the UTF-8 encoding, make sure that parser filter the invalid UTF-8 characters (invalid forms or overlong forms).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00362","_id":"capec_mitigation/capec_mitigation_00362","_rev":"_dVfOKdG--x","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"Look for overlong UTF-8 sequences starting with malicious pattern. You can also use a UTF-8 decoder stress test to test your UTF-8 parser (See Markus Kuhn's UTF-8 and Unicode FAQ in reference section)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00363","_id":"capec_mitigation/capec_mitigation_00363","_rev":"_dVfOKdG--y","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00367","_id":"capec_mitigation/capec_mitigation_00367","_rev":"_dVfOKdG--z","original_id":"81","name":"Web Logs Tampering","metadata":"Design: Use input validation before writing to web log","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00368","_id":"capec_mitigation/capec_mitigation_00368","_rev":"_dVfOKdG--0","original_id":"81","name":"Web Logs Tampering","metadata":"Design: Validate all log data before it is output","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00369","_id":"capec_mitigation/capec_mitigation_00369","_rev":"_dVfOKdG--1","original_id":"83","name":"XPath Injection","metadata":"Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XPath expression. Characters such as a single-quote(') or operators such as or (|), and (&) and such should be filtered if the application does not expect them in the context in which they appear. If such content cannot be filtered, it must at least be properly escaped to avoid them being interpreted as part of XPath expressions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00370","_id":"capec_mitigation/capec_mitigation_00370","_rev":"_dVfOKdG--2","original_id":"83","name":"XPath Injection","metadata":"Use of parameterized XPath queries - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00371","_id":"capec_mitigation/capec_mitigation_00371","_rev":"_dVfOKdG--3","original_id":"83","name":"XPath Injection","metadata":"Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00373","_id":"capec_mitigation/capec_mitigation_00373","_rev":"_dVfOKdG--4","original_id":"84","name":"XQuery Injection","metadata":"Design: Perform input allowlist validation on all XML input","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00374","_id":"capec_mitigation/capec_mitigation_00374","_rev":"_dVfOKdG--5","original_id":"84","name":"XQuery Injection","metadata":"Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00375","_id":"capec_mitigation/capec_mitigation_00375","_rev":"_dVfOKdG--6","original_id":"85","name":"AJAX Footprinting","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00376","_id":"capec_mitigation/capec_mitigation_00376","_rev":"_dVfOKdG--7","original_id":"85","name":"AJAX Footprinting","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00377","_id":"capec_mitigation/capec_mitigation_00377","_rev":"_dVfOKdG--8","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00378","_id":"capec_mitigation/capec_mitigation_00378","_rev":"_dVfOKdG--9","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Design: Utilize strict type, character, and encoding enforcement","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00379","_id":"capec_mitigation/capec_mitigation_00379","_rev":"_dVfOKdG-_-","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00380","_id":"capec_mitigation/capec_mitigation_00380","_rev":"_dVfOKdG-__","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00381","_id":"capec_mitigation/capec_mitigation_00381","_rev":"_dVfOKdG-_A","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Implementation: Perform input validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00382","_id":"capec_mitigation/capec_mitigation_00382","_rev":"_dVfOKdK---","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Implementation: Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00383","_id":"capec_mitigation/capec_mitigation_00383","_rev":"_dVfOKdK--_","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Implementation: Disable scripting languages such as JavaScript in browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00384","_id":"capec_mitigation/capec_mitigation_00384","_rev":"_dVfOKdK--A","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Implementation: Session tokens for specific host","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00385","_id":"capec_mitigation/capec_mitigation_00385","_rev":"_dVfOKdK--B","original_id":"86","name":"XSS Through HTTP Headers","metadata":"Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00386","_id":"capec_mitigation/capec_mitigation_00386","_rev":"_dVfOKdK--C","original_id":"87","name":"Forceful Browsing","metadata":"Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00387","_id":"capec_mitigation/capec_mitigation_00387","_rev":"_dVfOKdK--D","original_id":"87","name":"Forceful Browsing","metadata":"Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00388","_id":"capec_mitigation/capec_mitigation_00388","_rev":"_dVfOKdK--E","original_id":"88","name":"OS Command Injection","metadata":"Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00389","_id":"capec_mitigation/capec_mitigation_00389","_rev":"_dVfOKdK--F","original_id":"88","name":"OS Command Injection","metadata":"Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00390","_id":"capec_mitigation/capec_mitigation_00390","_rev":"_dVfOKdK--G","original_id":"88","name":"OS Command Injection","metadata":"All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00391","_id":"capec_mitigation/capec_mitigation_00391","_rev":"_dVfOKdK--H","original_id":"89","name":"Pharming","metadata":"All sensitive information must be handled over a secure connection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00392","_id":"capec_mitigation/capec_mitigation_00392","_rev":"_dVfOKdK--I","original_id":"89","name":"Pharming","metadata":"Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00393","_id":"capec_mitigation/capec_mitigation_00393","_rev":"_dVfOKdK--J","original_id":"89","name":"Pharming","metadata":"End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00394","_id":"capec_mitigation/capec_mitigation_00394","_rev":"_dVfOKdK--K","original_id":"90","name":"Reflection Attack in Authentication Protocol","metadata":"The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00395","_id":"capec_mitigation/capec_mitigation_00395","_rev":"_dVfOKdK--L","original_id":"90","name":"Reflection Attack in Authentication Protocol","metadata":"The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00396","_id":"capec_mitigation/capec_mitigation_00396","_rev":"_dVfOKdK--M","original_id":"90","name":"Reflection Attack in Authentication Protocol","metadata":"Introducing a random nonce with each new connection ensures that the attacker cannot employ two connections to attack the authentication protocol","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00397","_id":"capec_mitigation/capec_mitigation_00397","_rev":"_dVfOKdK--N","original_id":"92","name":"Forced Integer Overflow","metadata":"Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00398","_id":"capec_mitigation/capec_mitigation_00398","_rev":"_dVfOKdK--O","original_id":"92","name":"Forced Integer Overflow","metadata":"Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00399","_id":"capec_mitigation/capec_mitigation_00399","_rev":"_dVfOKdK--P","original_id":"92","name":"Forced Integer Overflow","metadata":"Use an abstraction library to abstract away risky APIs. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00400","_id":"capec_mitigation/capec_mitigation_00400","_rev":"_dVfOKdK--Q","original_id":"92","name":"Forced Integer Overflow","metadata":"Always do bound checking before consuming user input data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00401","_id":"capec_mitigation/capec_mitigation_00401","_rev":"_dVfOKdK--R","original_id":"93","name":"Log Injection-Tampering-Forging","metadata":"Carefully control access to physical log files.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00402","_id":"capec_mitigation/capec_mitigation_00402","_rev":"_dVfOKdK--S","original_id":"93","name":"Log Injection-Tampering-Forging","metadata":"Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00403","_id":"capec_mitigation/capec_mitigation_00403","_rev":"_dVfOKdK--T","original_id":"93","name":"Log Injection-Tampering-Forging","metadata":"Use synchronization to control the flow of execution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00404","_id":"capec_mitigation/capec_mitigation_00404","_rev":"_dVfOKdK--U","original_id":"93","name":"Log Injection-Tampering-Forging","metadata":"Use static analysis tools to identify log forging vulnerabilities.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00405","_id":"capec_mitigation/capec_mitigation_00405","_rev":"_dVfOKdK--V","original_id":"93","name":"Log Injection-Tampering-Forging","metadata":"Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00406","_id":"capec_mitigation/capec_mitigation_00406","_rev":"_dVfOKdK--W","original_id":"94","name":"Adversary in the Middle (AiTM)","metadata":"Ensure Public Keys are signed by a Certificate Authority","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00407","_id":"capec_mitigation/capec_mitigation_00407","_rev":"_dVfOKdK--X","original_id":"94","name":"Adversary in the Middle (AiTM)","metadata":"Encrypt communications using cryptography (e.g., SSL/TLS)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00408","_id":"capec_mitigation/capec_mitigation_00408","_rev":"_dVfOKdK--Y","original_id":"94","name":"Adversary in the Middle (AiTM)","metadata":"Use Strong mutual authentication to always fully authenticate both ends of any communications channel.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00409","_id":"capec_mitigation/capec_mitigation_00409","_rev":"_dVfOKdK--Z","original_id":"94","name":"Adversary in the Middle (AiTM)","metadata":"Exchange public keys using a secure channel","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00410","_id":"capec_mitigation/capec_mitigation_00410","_rev":"_dVfOKdK--a","original_id":"95","name":"WSDL Scanning","metadata":"It is important to protect WSDL file or provide limited access to it.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00411","_id":"capec_mitigation/capec_mitigation_00411","_rev":"_dVfOKdK--b","original_id":"95","name":"WSDL Scanning","metadata":"Review the functions exposed by the WSDL interface (especially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00412","_id":"capec_mitigation/capec_mitigation_00412","_rev":"_dVfOKdK--c","original_id":"95","name":"WSDL Scanning","metadata":"Ensure the WSDL does not expose functions and APIs that were not intended to be exposed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00413","_id":"capec_mitigation/capec_mitigation_00413","_rev":"_dVfOKdK--d","original_id":"95","name":"WSDL Scanning","metadata":"Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00414","_id":"capec_mitigation/capec_mitigation_00414","_rev":"_dVfOKdK--e","original_id":"95","name":"WSDL Scanning","metadata":"Validate the received messages against the WSDL Schema. Incomplete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00415","_id":"capec_mitigation/capec_mitigation_00415","_rev":"_dVfOKdK--f","original_id":"96","name":"Block Access to Libraries","metadata":"Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00416","_id":"capec_mitigation/capec_mitigation_00416","_rev":"_dVfOKdK--g","original_id":"97","name":"Cryptanalysis","metadata":"Use proven cryptographic algorithms with recommended key sizes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00417","_id":"capec_mitigation/capec_mitigation_00417","_rev":"_dVfOKdK--h","original_id":"97","name":"Cryptanalysis","metadata":"\n Ensure that the algorithms are used properly. That means:\n \n \n 1. Not rolling out your own crypto; Use proven algorithms and implementations.\n 2. Choosing initialization vectors with sufficiently random numbers\n 3. Generating key material using good sources of randomness and avoiding known weak keys\n 4. Using proven protocols and their implementations.\n 5. Picking the most appropriate cryptographic algorithm for your usage context and data\n \n \n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00418","_id":"capec_mitigation/capec_mitigation_00418","_rev":"_dVfOKdK--i","original_id":"98","name":"Phishing","metadata":"Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00421","_id":"capec_mitigation/capec_mitigation_00421","_rev":"_dVfOKdK--j","original_id":"100","name":"Overflow Buffers","metadata":"Use a language or compiler that performs automatic bounds checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00422","_id":"capec_mitigation/capec_mitigation_00422","_rev":"_dVfOKdK--k","original_id":"100","name":"Overflow Buffers","metadata":"Use secure functions not vulnerable to buffer overflow.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00423","_id":"capec_mitigation/capec_mitigation_00423","_rev":"_dVfOKdK--l","original_id":"100","name":"Overflow Buffers","metadata":"If you have to use dangerous functions, make sure that you do boundary checking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00424","_id":"capec_mitigation/capec_mitigation_00424","_rev":"_dVfOKdK--m","original_id":"100","name":"Overflow Buffers","metadata":"Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00425","_id":"capec_mitigation/capec_mitigation_00425","_rev":"_dVfOKdK--n","original_id":"100","name":"Overflow Buffers","metadata":"Use OS-level preventative functionality. Not a complete solution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00426","_id":"capec_mitigation/capec_mitigation_00426","_rev":"_dVfOKdK--o","original_id":"100","name":"Overflow Buffers","metadata":"Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00428","_id":"capec_mitigation/capec_mitigation_00428","_rev":"_dVfOKdK--p","original_id":"101","name":"Server Side Include (SSI) Injection","metadata":"Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00429","_id":"capec_mitigation/capec_mitigation_00429","_rev":"_dVfOKdK--q","original_id":"101","name":"Server Side Include (SSI) Injection","metadata":"All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00430","_id":"capec_mitigation/capec_mitigation_00430","_rev":"_dVfOKdK--r","original_id":"101","name":"Server Side Include (SSI) Injection","metadata":"Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00431","_id":"capec_mitigation/capec_mitigation_00431","_rev":"_dVfOKdK--s","original_id":"102","name":"Session Sidejacking","metadata":"Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00432","_id":"capec_mitigation/capec_mitigation_00432","_rev":"_dVfOKdK--t","original_id":"102","name":"Session Sidejacking","metadata":"Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00433","_id":"capec_mitigation/capec_mitigation_00433","_rev":"_dVfOKdK--u","original_id":"103","name":"Clickjacking","metadata":"If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00434","_id":"capec_mitigation/capec_mitigation_00434","_rev":"_dVfOKdK--v","original_id":"103","name":"Clickjacking","metadata":"Turn off JavaScript, Flash and disable CSS.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00435","_id":"capec_mitigation/capec_mitigation_00435","_rev":"_dVfOKdK--w","original_id":"103","name":"Clickjacking","metadata":"When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00436","_id":"capec_mitigation/capec_mitigation_00436","_rev":"_dVfOKdK--x","original_id":"104","name":"Cross Zone Scripting","metadata":"Disable script execution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00437","_id":"capec_mitigation/capec_mitigation_00437","_rev":"_dVfOKdK--y","original_id":"104","name":"Cross Zone Scripting","metadata":"Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00438","_id":"capec_mitigation/capec_mitigation_00438","_rev":"_dVfOKdK--z","original_id":"104","name":"Cross Zone Scripting","metadata":"Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00439","_id":"capec_mitigation/capec_mitigation_00439","_rev":"_dVfOKdK--0","original_id":"104","name":"Cross Zone Scripting","metadata":"Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00440","_id":"capec_mitigation/capec_mitigation_00440","_rev":"_dVfOKdK--1","original_id":"104","name":"Cross Zone Scripting","metadata":"Ensure proper HTML output encoding before writing user supplied data to the page","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00441","_id":"capec_mitigation/capec_mitigation_00441","_rev":"_dVfOKdK--2","original_id":"105","name":"HTTP Request Splitting","metadata":"Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00442","_id":"capec_mitigation/capec_mitigation_00442","_rev":"_dVfOKdK--3","original_id":"105","name":"HTTP Request Splitting","metadata":"Configuration: front-end HTTP agents notice ambiguous requests.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00443","_id":"capec_mitigation/capec_mitigation_00443","_rev":"_dVfOKdK--4","original_id":"105","name":"HTTP Request Splitting","metadata":"Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00444","_id":"capec_mitigation/capec_mitigation_00444","_rev":"_dVfOKdK--5","original_id":"105","name":"HTTP Request Splitting","metadata":"Configuration: Disable reuse of back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00445","_id":"capec_mitigation/capec_mitigation_00445","_rev":"_dVfOKdK--6","original_id":"105","name":"HTTP Request Splitting","metadata":"Configuration: Use HTTP/2 for back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00446","_id":"capec_mitigation/capec_mitigation_00446","_rev":"_dVfOKdK--7","original_id":"105","name":"HTTP Request Splitting","metadata":"Configuration: Use the same web server software for front-end and back-end server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00447","_id":"capec_mitigation/capec_mitigation_00447","_rev":"_dVfOKdK--8","original_id":"105","name":"HTTP Request Splitting","metadata":"Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00448","_id":"capec_mitigation/capec_mitigation_00448","_rev":"_dVfOKdK--9","original_id":"105","name":"HTTP Request Splitting","metadata":"Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00449","_id":"capec_mitigation/capec_mitigation_00449","_rev":"_dVfOKdK-_-","original_id":"105","name":"HTTP Request Splitting","metadata":"Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00450","_id":"capec_mitigation/capec_mitigation_00450","_rev":"_dVfOKdK-__","original_id":"105","name":"HTTP Request Splitting","metadata":"Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00452","_id":"capec_mitigation/capec_mitigation_00452","_rev":"_dVfOKdK-_A","original_id":"107","name":"Cross Site Tracing","metadata":"Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00453","_id":"capec_mitigation/capec_mitigation_00453","_rev":"_dVfOKdK-_B","original_id":"107","name":"Cross Site Tracing","metadata":"Patch web browser against known security origin policy bypass exploits.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00454","_id":"capec_mitigation/capec_mitigation_00454","_rev":"_dVfOKdK-_C","original_id":"108","name":"Command Line Execution through SQL Injection","metadata":"Disable MSSQL xp_cmdshell directive on the database","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00455","_id":"capec_mitigation/capec_mitigation_00455","_rev":"_dVfOKdK-_D","original_id":"108","name":"Command Line Execution through SQL Injection","metadata":"Properly validate the data (syntactically and semantically) before writing it to the database.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00456","_id":"capec_mitigation/capec_mitigation_00456","_rev":"_dVfOKdK-_E","original_id":"108","name":"Command Line Execution through SQL Injection","metadata":"Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00457","_id":"capec_mitigation/capec_mitigation_00457","_rev":"_dVfOKdO---","original_id":"109","name":"Object Relational Mapping Injection","metadata":"Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00458","_id":"capec_mitigation/capec_mitigation_00458","_rev":"_dVfOKdO--_","original_id":"109","name":"Object Relational Mapping Injection","metadata":"Ensure to keep up to date with security relevant updates to the persistence framework used within your application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00459","_id":"capec_mitigation/capec_mitigation_00459","_rev":"_dVfOKdO--A","original_id":"110","name":"SQL Injection through SOAP Parameter Tampering","metadata":"Properly validate and sanitize/reject user input at the service provider.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00460","_id":"capec_mitigation/capec_mitigation_00460","_rev":"_dVfOKdO--B","original_id":"110","name":"SQL Injection through SOAP Parameter Tampering","metadata":"Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00461","_id":"capec_mitigation/capec_mitigation_00461","_rev":"_dVfOKdO--C","original_id":"110","name":"SQL Injection through SOAP Parameter Tampering","metadata":"At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00462","_id":"capec_mitigation/capec_mitigation_00462","_rev":"_dVfOKdO--D","original_id":"111","name":"JSON Hijacking (aka JavaScript Hijacking)","metadata":"Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00463","_id":"capec_mitigation/capec_mitigation_00463","_rev":"_dVfOKdO--E","original_id":"111","name":"JSON Hijacking (aka JavaScript Hijacking)","metadata":"On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00464","_id":"capec_mitigation/capec_mitigation_00464","_rev":"_dVfOKdO--F","original_id":"111","name":"JSON Hijacking (aka JavaScript Hijacking)","metadata":"Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00465","_id":"capec_mitigation/capec_mitigation_00465","_rev":"_dVfOKdO--G","original_id":"111","name":"JSON Hijacking (aka JavaScript Hijacking)","metadata":"Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00466","_id":"capec_mitigation/capec_mitigation_00466","_rev":"_dVfOKdO--H","original_id":"112","name":"Brute Force","metadata":"Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00467","_id":"capec_mitigation/capec_mitigation_00467","_rev":"_dVfOKdO--I","original_id":"112","name":"Brute Force","metadata":"Use a secret space that is well known and with no known patterns that may reduce functional size.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00468","_id":"capec_mitigation/capec_mitigation_00468","_rev":"_dVfOKdO--J","original_id":"112","name":"Brute Force","metadata":"Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00472","_id":"capec_mitigation/capec_mitigation_00472","_rev":"_dVfOKdO--K","original_id":"116","name":"Excavation","metadata":"Minimize error/response output to only what is necessary for functional use or corrective language.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00473","_id":"capec_mitigation/capec_mitigation_00473","_rev":"_dVfOKdO--L","original_id":"116","name":"Excavation","metadata":"Remove potentially sensitive information that is not necessary for the application's functionality.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00474","_id":"capec_mitigation/capec_mitigation_00474","_rev":"_dVfOKdO--M","original_id":"117","name":"Interception","metadata":"Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00475","_id":"capec_mitigation/capec_mitigation_00475","_rev":"_dVfOKdO--N","original_id":"120","name":"Double Encoding","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00476","_id":"capec_mitigation/capec_mitigation_00476","_rev":"_dVfOKdO--O","original_id":"120","name":"Double Encoding","metadata":"Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00477","_id":"capec_mitigation/capec_mitigation_00477","_rev":"_dVfOKdO--P","original_id":"120","name":"Double Encoding","metadata":"When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00478","_id":"capec_mitigation/capec_mitigation_00478","_rev":"_dVfOKdO--Q","original_id":"120","name":"Double Encoding","metadata":"Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00479","_id":"capec_mitigation/capec_mitigation_00479","_rev":"_dVfOKdO--R","original_id":"120","name":"Double Encoding","metadata":"Refer to the RFCs to safely decode URL.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00480","_id":"capec_mitigation/capec_mitigation_00480","_rev":"_dVfOKdO--S","original_id":"120","name":"Double Encoding","metadata":"Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00481","_id":"capec_mitigation/capec_mitigation_00481","_rev":"_dVfOKdO--T","original_id":"120","name":"Double Encoding","metadata":"There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00482","_id":"capec_mitigation/capec_mitigation_00482","_rev":"_dVfOKdO--U","original_id":"121","name":"Exploit Non-Production Interfaces","metadata":"Ensure that production systems to not contain non-production interfaces and that these interfaces are only used in development environments.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00483","_id":"capec_mitigation/capec_mitigation_00483","_rev":"_dVfOKdO--V","original_id":"122","name":"Privilege Abuse","metadata":"Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00484","_id":"capec_mitigation/capec_mitigation_00484","_rev":"_dVfOKdO--W","original_id":"123","name":"Buffer Manipulation","metadata":"To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00485","_id":"capec_mitigation/capec_mitigation_00485","_rev":"_dVfOKdO--X","original_id":"125","name":"Flooding","metadata":"Ensure that protocols have specific limits of scale configured.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00486","_id":"capec_mitigation/capec_mitigation_00486","_rev":"_dVfOKdO--Y","original_id":"125","name":"Flooding","metadata":"Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00487","_id":"capec_mitigation/capec_mitigation_00487","_rev":"_dVfOKdO--Z","original_id":"125","name":"Flooding","metadata":"Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00488","_id":"capec_mitigation/capec_mitigation_00488","_rev":"_dVfOKdO--a","original_id":"126","name":"Path Traversal","metadata":"Design: Configure the access control correctly.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00489","_id":"capec_mitigation/capec_mitigation_00489","_rev":"_dVfOKdO--b","original_id":"126","name":"Path Traversal","metadata":"Design: Enforce principle of least privilege.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00490","_id":"capec_mitigation/capec_mitigation_00490","_rev":"_dVfOKdO--c","original_id":"126","name":"Path Traversal","metadata":"Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00491","_id":"capec_mitigation/capec_mitigation_00491","_rev":"_dVfOKdO--d","original_id":"126","name":"Path Traversal","metadata":"Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00492","_id":"capec_mitigation/capec_mitigation_00492","_rev":"_dVfOKdO--e","original_id":"126","name":"Path Traversal","metadata":"Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00493","_id":"capec_mitigation/capec_mitigation_00493","_rev":"_dVfOKdO--f","original_id":"126","name":"Path Traversal","metadata":"Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00494","_id":"capec_mitigation/capec_mitigation_00494","_rev":"_dVfOKdO--g","original_id":"126","name":"Path Traversal","metadata":"Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00495","_id":"capec_mitigation/capec_mitigation_00495","_rev":"_dVfOKdO--h","original_id":"126","name":"Path Traversal","metadata":"Implementation: Perform input validation for all remote content, including remote and user-generated content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00496","_id":"capec_mitigation/capec_mitigation_00496","_rev":"_dVfOKdO--i","original_id":"126","name":"Path Traversal","metadata":"Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00497","_id":"capec_mitigation/capec_mitigation_00497","_rev":"_dVfOKdO--j","original_id":"126","name":"Path Traversal","metadata":"Implementation: Use indirect references rather than actual file names.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00498","_id":"capec_mitigation/capec_mitigation_00498","_rev":"_dVfOKdO--k","original_id":"126","name":"Path Traversal","metadata":"Implementation: Use possible permissions on file access when developing and deploying web applications.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00499","_id":"capec_mitigation/capec_mitigation_00499","_rev":"_dVfOKdO--l","original_id":"126","name":"Path Traversal","metadata":"Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00500","_id":"capec_mitigation/capec_mitigation_00500","_rev":"_dVfOKdO--m","original_id":"127","name":"Directory Indexing","metadata":"1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00501","_id":"capec_mitigation/capec_mitigation_00501","_rev":"_dVfOKdO--n","original_id":"127","name":"Directory Indexing","metadata":"2. Preventing with .htaccess in Apache web server: In .htaccess, write \"Options-indexes\".","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00502","_id":"capec_mitigation/capec_mitigation_00502","_rev":"_dVfOKdO--o","original_id":"127","name":"Directory Indexing","metadata":"3. Suppressing error messages: using error 403 \"Forbidden\" message exactly like error 404 \"Not Found\" message.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00503","_id":"capec_mitigation/capec_mitigation_00503","_rev":"_dVfOKdO--p","original_id":"130","name":"Excessive Allocation","metadata":"Limit the amount of resources that are accessible to unprivileged users.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00504","_id":"capec_mitigation/capec_mitigation_00504","_rev":"_dVfOKdO--q","original_id":"130","name":"Excessive Allocation","metadata":"Assume all input is malicious. Consider all potentially relevant properties when validating input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00505","_id":"capec_mitigation/capec_mitigation_00505","_rev":"_dVfOKdO--r","original_id":"130","name":"Excessive Allocation","metadata":"Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00506","_id":"capec_mitigation/capec_mitigation_00506","_rev":"_dVfOKdO--s","original_id":"130","name":"Excessive Allocation","metadata":"Use resource-limiting settings, if possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00507","_id":"capec_mitigation/capec_mitigation_00507","_rev":"_dVfOKdO--t","original_id":"131","name":"Resource Leak Exposure","metadata":"If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00508","_id":"capec_mitigation/capec_mitigation_00508","_rev":"_dVfOKdO--u","original_id":"131","name":"Resource Leak Exposure","metadata":"Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00509","_id":"capec_mitigation/capec_mitigation_00509","_rev":"_dVfOKdO--v","original_id":"131","name":"Resource Leak Exposure","metadata":"Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00510","_id":"capec_mitigation/capec_mitigation_00510","_rev":"_dVfOKdO--w","original_id":"132","name":"Symlink Attack","metadata":"Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00511","_id":"capec_mitigation/capec_mitigation_00511","_rev":"_dVfOKdO--x","original_id":"132","name":"Symlink Attack","metadata":"Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00512","_id":"capec_mitigation/capec_mitigation_00512","_rev":"_dVfOKdO--y","original_id":"133","name":"Try All Common Switches","metadata":"Design: Minimize switch and option functionality to only that necessary for correct function of the command.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00513","_id":"capec_mitigation/capec_mitigation_00513","_rev":"_dVfOKdO--z","original_id":"133","name":"Try All Common Switches","metadata":"Implementation: Remove all debug and testing options from production code.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00514","_id":"capec_mitigation/capec_mitigation_00514","_rev":"_dVfOKdO--0","original_id":"135","name":"Format String Injection","metadata":"Limit the usage of formatting string functions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00515","_id":"capec_mitigation/capec_mitigation_00515","_rev":"_dVfOKdO--1","original_id":"135","name":"Format String Injection","metadata":"Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00516","_id":"capec_mitigation/capec_mitigation_00516","_rev":"_dVfOKdO--2","original_id":"136","name":"LDAP Injection","metadata":"Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00517","_id":"capec_mitigation/capec_mitigation_00517","_rev":"_dVfOKdO--3","original_id":"136","name":"LDAP Injection","metadata":"Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00518","_id":"capec_mitigation/capec_mitigation_00518","_rev":"_dVfOKdO--4","original_id":"137","name":"Parameter Injection","metadata":"Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00519","_id":"capec_mitigation/capec_mitigation_00519","_rev":"_dVfOKdO--5","original_id":"137","name":"Parameter Injection","metadata":"Treat all user input as untrusted data that must be validated before use.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00520","_id":"capec_mitigation/capec_mitigation_00520","_rev":"_dVfOKdO--6","original_id":"139","name":"Relative Path Traversal","metadata":"Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00521","_id":"capec_mitigation/capec_mitigation_00521","_rev":"_dVfOKdO--7","original_id":"139","name":"Relative Path Traversal","metadata":"Implementation: Perform input validation for all remote content, including remote and user-generated content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00522","_id":"capec_mitigation/capec_mitigation_00522","_rev":"_dVfOKdO--8","original_id":"139","name":"Relative Path Traversal","metadata":"Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00523","_id":"capec_mitigation/capec_mitigation_00523","_rev":"_dVfOKdO--9","original_id":"139","name":"Relative Path Traversal","metadata":"Implementation: Prefer working without user input when using file system calls","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00524","_id":"capec_mitigation/capec_mitigation_00524","_rev":"_dVfOKdO-_-","original_id":"139","name":"Relative Path Traversal","metadata":"Implementation: Use indirect references rather than actual file names.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00525","_id":"capec_mitigation/capec_mitigation_00525","_rev":"_dVfOKdO-__","original_id":"139","name":"Relative Path Traversal","metadata":"Implementation: Use possible permissions on file access when developing and deploying web applications.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00526","_id":"capec_mitigation/capec_mitigation_00526","_rev":"_dVfOKdO-_A","original_id":"141","name":"Cache Poisoning","metadata":"Configuration: Disable client side caching.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00527","_id":"capec_mitigation/capec_mitigation_00527","_rev":"_dVfOKdO-_B","original_id":"141","name":"Cache Poisoning","metadata":"Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00528","_id":"capec_mitigation/capec_mitigation_00528","_rev":"_dVfOKdO-_C","original_id":"142","name":"DNS Cache Poisoning","metadata":"Configuration: Make sure your DNS servers have been updated to the latest versions","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00529","_id":"capec_mitigation/capec_mitigation_00529","_rev":"_dVfOKdO-_D","original_id":"142","name":"DNS Cache Poisoning","metadata":"Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00530","_id":"capec_mitigation/capec_mitigation_00530","_rev":"_dVfOKdO-_E","original_id":"142","name":"DNS Cache Poisoning","metadata":"Configuration: Disable client side DNS caching.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00531","_id":"capec_mitigation/capec_mitigation_00531","_rev":"_dVfOKdO-_F","original_id":"146","name":"XML Schema Poisoning","metadata":"Design: Protect the schema against unauthorized modification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00532","_id":"capec_mitigation/capec_mitigation_00532","_rev":"_dVfOKdO-_G","original_id":"146","name":"XML Schema Poisoning","metadata":"Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00533","_id":"capec_mitigation/capec_mitigation_00533","_rev":"_dVfOKdO-_H","original_id":"146","name":"XML Schema Poisoning","metadata":"Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00534","_id":"capec_mitigation/capec_mitigation_00534","_rev":"_dVfOKdO-_I","original_id":"147","name":"XML Ping of the Death","metadata":"Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00535","_id":"capec_mitigation/capec_mitigation_00535","_rev":"_dVfOKdO-_J","original_id":"147","name":"XML Ping of the Death","metadata":"Implementation: Provide for network flow control and traffic shaping to control access to the resources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00536","_id":"capec_mitigation/capec_mitigation_00536","_rev":"_dVfOKdO-_K","original_id":"151","name":"Identity Spoofing","metadata":"Employ robust authentication processes (e.g., multi-factor authentication).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00537","_id":"capec_mitigation/capec_mitigation_00537","_rev":"_dVfOKdS---","original_id":"154","name":"Resource Location Spoofing","metadata":"Monitor network activity to detect any anomalous or unauthorized communication exchanges.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00538","_id":"capec_mitigation/capec_mitigation_00538","_rev":"_dVfOKdS--_","original_id":"157","name":"Sniffing Attacks","metadata":"Encrypt sensitive information when transmitted on insecure mediums to prevent interception.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00539","_id":"capec_mitigation/capec_mitigation_00539","_rev":"_dVfOKdS--A","original_id":"158","name":"Sniffing Network Traffic","metadata":"Obfuscate network traffic through encryption to prevent its readability by network sniffers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00540","_id":"capec_mitigation/capec_mitigation_00540","_rev":"_dVfOKdS--B","original_id":"158","name":"Sniffing Network Traffic","metadata":"Employ appropriate levels of segmentation to your network in accordance with best practices.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00541","_id":"capec_mitigation/capec_mitigation_00541","_rev":"_dVfOKdS--C","original_id":"159","name":"Redirect Access to Libraries","metadata":"Implementation: Restrict the permission to modify the entries in the configuration file.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00542","_id":"capec_mitigation/capec_mitigation_00542","_rev":"_dVfOKdS--D","original_id":"159","name":"Redirect Access to Libraries","metadata":"Implementation: Check the integrity of the dynamically linked libraries before use them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00543","_id":"capec_mitigation/capec_mitigation_00543","_rev":"_dVfOKdS--E","original_id":"159","name":"Redirect Access to Libraries","metadata":"Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00544","_id":"capec_mitigation/capec_mitigation_00544","_rev":"_dVfOKdS--F","original_id":"163","name":"Spear Phishing","metadata":"Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00545","_id":"capec_mitigation/capec_mitigation_00545","_rev":"_dVfOKdS--G","original_id":"164","name":"Mobile Phishing","metadata":"Do not follow any links that you receive within text messages and do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. Safe practices also include leveraging the entity's mobile application or directly typing the entity's URL in the browser and only then logging in. Never reply to any text messages that ask you to provide sensitive information of any kind.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00548","_id":"capec_mitigation/capec_mitigation_00548","_rev":"_dVfOKdS--H","original_id":"168","name":"Windows ::DATA Alternate Data Stream","metadata":"Design: Use FAT file systems which do not support Alternate Data Streams.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00549","_id":"capec_mitigation/capec_mitigation_00549","_rev":"_dVfOKdS--I","original_id":"168","name":"Windows ::DATA Alternate Data Stream","metadata":"Implementation: Use Vista dir with the -R switch or utility to find Alternate Data Streams and take appropriate action with those discovered.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00550","_id":"capec_mitigation/capec_mitigation_00550","_rev":"_dVfOKdS--J","original_id":"168","name":"Windows ::DATA Alternate Data Stream","metadata":"Implementation: Use products that are Alternate Data Stream aware for virus scanning and system security operations.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00551","_id":"capec_mitigation/capec_mitigation_00551","_rev":"_dVfOKdS--K","original_id":"169","name":"Footprinting","metadata":"Keep patches up to date by installing weekly or daily if possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00552","_id":"capec_mitigation/capec_mitigation_00552","_rev":"_dVfOKdS--L","original_id":"169","name":"Footprinting","metadata":"Shut down unnecessary services/ports.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00553","_id":"capec_mitigation/capec_mitigation_00553","_rev":"_dVfOKdS--M","original_id":"169","name":"Footprinting","metadata":"Change default passwords by choosing strong passwords.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00554","_id":"capec_mitigation/capec_mitigation_00554","_rev":"_dVfOKdS--N","original_id":"169","name":"Footprinting","metadata":"Curtail unexpected input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00555","_id":"capec_mitigation/capec_mitigation_00555","_rev":"_dVfOKdS--O","original_id":"169","name":"Footprinting","metadata":"Encrypt and password-protect sensitive data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00556","_id":"capec_mitigation/capec_mitigation_00556","_rev":"_dVfOKdS--P","original_id":"169","name":"Footprinting","metadata":"Avoid including information that has the potential to identify and compromise your organization's security such as access to business plans, formulas, and proprietary documents.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00557","_id":"capec_mitigation/capec_mitigation_00557","_rev":"_dVfOKdS--Q","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Obfuscate server fields of HTTP response.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00558","_id":"capec_mitigation/capec_mitigation_00558","_rev":"_dVfOKdS--R","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Hide inner ordering of HTTP response header.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00559","_id":"capec_mitigation/capec_mitigation_00559","_rev":"_dVfOKdS--S","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Customizing HTTP error codes such as 404 or 500.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00560","_id":"capec_mitigation/capec_mitigation_00560","_rev":"_dVfOKdS--T","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Hide URL file extension.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00561","_id":"capec_mitigation/capec_mitigation_00561","_rev":"_dVfOKdS--U","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Hide HTTP response header software information filed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00562","_id":"capec_mitigation/capec_mitigation_00562","_rev":"_dVfOKdS--V","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Hide cookie's software information filed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00563","_id":"capec_mitigation/capec_mitigation_00563","_rev":"_dVfOKdS--W","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Appropriately deal with error messages.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00564","_id":"capec_mitigation/capec_mitigation_00564","_rev":"_dVfOKdS--X","original_id":"170","name":"Web Application Fingerprinting","metadata":"Implementation: Obfuscate database type in Database API's error message.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00565","_id":"capec_mitigation/capec_mitigation_00565","_rev":"_dVfOKdS--Y","original_id":"173","name":"Action Spoofing","metadata":"Avoid interacting with suspicious sites or clicking suspicious links.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00566","_id":"capec_mitigation/capec_mitigation_00566","_rev":"_dVfOKdS--Z","original_id":"173","name":"Action Spoofing","metadata":"An organization should provide regular, robust cybersecurity training to its employees.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00567","_id":"capec_mitigation/capec_mitigation_00567","_rev":"_dVfOKdS--a","original_id":"174","name":"Flash Parameter Injection","metadata":"User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00568","_id":"capec_mitigation/capec_mitigation_00568","_rev":"_dVfOKdS--b","original_id":"178","name":"Cross-Site Flashing","metadata":"Implementation: Only allow known URL to be included as remote flash movies in a flash application","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00569","_id":"capec_mitigation/capec_mitigation_00569","_rev":"_dVfOKdS--c","original_id":"178","name":"Cross-Site Flashing","metadata":"Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00570","_id":"capec_mitigation/capec_mitigation_00570","_rev":"_dVfOKdS--d","original_id":"180","name":"Exploiting Incorrectly Configured Access Control Security Levels","metadata":"Design: Configure the access control correctly.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00571","_id":"capec_mitigation/capec_mitigation_00571","_rev":"_dVfOKdS--e","original_id":"182","name":"Flash Injection","metadata":"Implementation: remove sensitive information such as user name and password in the SWF file.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00572","_id":"capec_mitigation/capec_mitigation_00572","_rev":"_dVfOKdS--f","original_id":"182","name":"Flash Injection","metadata":"Implementation: use validation on both client and server side.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00573","_id":"capec_mitigation/capec_mitigation_00573","_rev":"_dVfOKdS--g","original_id":"182","name":"Flash Injection","metadata":"Implementation: remove debug information.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00574","_id":"capec_mitigation/capec_mitigation_00574","_rev":"_dVfOKdS--h","original_id":"182","name":"Flash Injection","metadata":"Implementation: use SSL when loading external data","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00575","_id":"capec_mitigation/capec_mitigation_00575","_rev":"_dVfOKdS--i","original_id":"182","name":"Flash Injection","metadata":"Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00576","_id":"capec_mitigation/capec_mitigation_00576","_rev":"_dVfOKdS--j","original_id":"186","name":"Malicious Software Update","metadata":"Validate software updates before installing.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00577","_id":"capec_mitigation/capec_mitigation_00577","_rev":"_dVfOKdS--k","original_id":"188","name":"Reverse Engineering","metadata":"Employ code obfuscation techniques to prevent the adversary from reverse engineering the targeted entity.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00578","_id":"capec_mitigation/capec_mitigation_00578","_rev":"_dVfOKdS--l","original_id":"193","name":"PHP Remote File Inclusion","metadata":"Implementation: Perform input validation for all remote content, including remote and user-generated content","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00579","_id":"capec_mitigation/capec_mitigation_00579","_rev":"_dVfOKdS--m","original_id":"193","name":"PHP Remote File Inclusion","metadata":"Implementation: Only allow known files to be included (allowlist)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00580","_id":"capec_mitigation/capec_mitigation_00580","_rev":"_dVfOKdS--n","original_id":"193","name":"PHP Remote File Inclusion","metadata":"Implementation: Make use of indirect references passed in URL parameters instead of file names","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00581","_id":"capec_mitigation/capec_mitigation_00581","_rev":"_dVfOKdS--o","original_id":"193","name":"PHP Remote File Inclusion","metadata":"Configuration: Ensure that remote scripts cannot be include in the \"include\" or \"require\" PHP directives","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00582","_id":"capec_mitigation/capec_mitigation_00582","_rev":"_dVfOKdS--p","original_id":"196","name":"Session Credential Falsification through Forging","metadata":"Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00583","_id":"capec_mitigation/capec_mitigation_00583","_rev":"_dVfOKdS--q","original_id":"196","name":"Session Credential Falsification through Forging","metadata":"Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00584","_id":"capec_mitigation/capec_mitigation_00584","_rev":"_dVfOKdS--r","original_id":"197","name":"Exponential Data Expansion","metadata":"Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00585","_id":"capec_mitigation/capec_mitigation_00585","_rev":"_dVfOKdS--s","original_id":"197","name":"Exponential Data Expansion","metadata":"Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00586","_id":"capec_mitigation/capec_mitigation_00586","_rev":"_dVfOKdS--t","original_id":"198","name":"XSS Targeting Error Pages","metadata":"Design: Use libraries and templates that minimize unfiltered input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00587","_id":"capec_mitigation/capec_mitigation_00587","_rev":"_dVfOKdS--u","original_id":"198","name":"XSS Targeting Error Pages","metadata":"Implementation: Normalize, filter and use an allowlist for any input that will be used in error messages.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00588","_id":"capec_mitigation/capec_mitigation_00588","_rev":"_dVfOKdS--v","original_id":"198","name":"XSS Targeting Error Pages","metadata":"Implementation: The victim should configure the browser to minimize active content from untrusted sources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00589","_id":"capec_mitigation/capec_mitigation_00589","_rev":"_dVfOKdS--w","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00590","_id":"capec_mitigation/capec_mitigation_00590","_rev":"_dVfOKdS--x","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Design: Utilize strict type, character, and encoding enforcement","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00591","_id":"capec_mitigation/capec_mitigation_00591","_rev":"_dVfOKdS--y","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00592","_id":"capec_mitigation/capec_mitigation_00592","_rev":"_dVfOKdS--z","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00593","_id":"capec_mitigation/capec_mitigation_00593","_rev":"_dVfOKdS--0","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Implementation: Perform input validation for all remote content, including remote and user-generated content","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00594","_id":"capec_mitigation/capec_mitigation_00594","_rev":"_dVfOKdS--1","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Implementation: Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00595","_id":"capec_mitigation/capec_mitigation_00595","_rev":"_dVfOKdS--2","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Implementation: Disable scripting languages such as JavaScript in browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00596","_id":"capec_mitigation/capec_mitigation_00596","_rev":"_dVfOKdS--3","original_id":"199","name":"XSS Using Alternate Syntax","metadata":"Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00597","_id":"capec_mitigation/capec_mitigation_00597","_rev":"_dVfOKdS--4","original_id":"201","name":"Serialized Data External Linking","metadata":"Configure the serialized data processor to only retrieve external entities from trusted sources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00598","_id":"capec_mitigation/capec_mitigation_00598","_rev":"_dVfOKdS--5","original_id":"203","name":"Manipulate Registry Information","metadata":"Ensure proper permissions are set for Registry hives to prevent users from modifying keys.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00599","_id":"capec_mitigation/capec_mitigation_00599","_rev":"_dVfOKdS--6","original_id":"203","name":"Manipulate Registry Information","metadata":"Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00600","_id":"capec_mitigation/capec_mitigation_00600","_rev":"_dVfOKdS--7","original_id":"203","name":"Manipulate Registry Information","metadata":"Employ robust identification and audit/blocking using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00601","_id":"capec_mitigation/capec_mitigation_00601","_rev":"_dVfOKdS--8","original_id":"207","name":"Removing Important Client Functionality","metadata":"Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00602","_id":"capec_mitigation/capec_mitigation_00602","_rev":"_dVfOKdS--9","original_id":"207","name":"Removing Important Client Functionality","metadata":"Design: Ship client-side application with integrity checks (code signing) when possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00603","_id":"capec_mitigation/capec_mitigation_00603","_rev":"_dVfOKdW---","original_id":"207","name":"Removing Important Client Functionality","metadata":"Design: Use obfuscation and other techniques to prevent reverse engineering the client code.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00604","_id":"capec_mitigation/capec_mitigation_00604","_rev":"_dVfOKdW--_","original_id":"212","name":"Functionality Misuse","metadata":"Perform comprehensive threat modeling, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure application functionality that can be manipulated for malicious purposes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00605","_id":"capec_mitigation/capec_mitigation_00605","_rev":"_dVfOKdW--A","original_id":"212","name":"Functionality Misuse","metadata":"When implementing security features, consider how they can be misused and compromised.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00606","_id":"capec_mitigation/capec_mitigation_00606","_rev":"_dVfOKdW--B","original_id":"215","name":"Fuzzing for application mapping","metadata":"Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00607","_id":"capec_mitigation/capec_mitigation_00607","_rev":"_dVfOKdW--C","original_id":"215","name":"Fuzzing for application mapping","metadata":"Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00608","_id":"capec_mitigation/capec_mitigation_00608","_rev":"_dVfOKdW--D","original_id":"215","name":"Fuzzing for application mapping","metadata":"Implementation: Obfuscate server fields of HTTP response.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00609","_id":"capec_mitigation/capec_mitigation_00609","_rev":"_dVfOKdW--E","original_id":"215","name":"Fuzzing for application mapping","metadata":"Implementation: Hide inner ordering of HTTP response header.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00610","_id":"capec_mitigation/capec_mitigation_00610","_rev":"_dVfOKdW--F","original_id":"215","name":"Fuzzing for application mapping","metadata":"Implementation: Customizing HTTP error codes such as 404 or 500.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00611","_id":"capec_mitigation/capec_mitigation_00611","_rev":"_dVfOKdW--G","original_id":"215","name":"Fuzzing for application mapping","metadata":"Implementation: Hide HTTP response header software information filed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00612","_id":"capec_mitigation/capec_mitigation_00612","_rev":"_dVfOKdW--H","original_id":"215","name":"Fuzzing for application mapping","metadata":"Implementation: Hide cookie's software information filed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00613","_id":"capec_mitigation/capec_mitigation_00613","_rev":"_dVfOKdW--I","original_id":"215","name":"Fuzzing for application mapping","metadata":"Implementation: Obfuscate database type in Database API's error message.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00614","_id":"capec_mitigation/capec_mitigation_00614","_rev":"_dVfOKdW--J","original_id":"216","name":"Communication Channel Manipulation","metadata":"Encrypt all sensitive communications using properly-configured cryptography.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00615","_id":"capec_mitigation/capec_mitigation_00615","_rev":"_dVfOKdW--K","original_id":"216","name":"Communication Channel Manipulation","metadata":"Design the communication system such that it associates proper authentication/authorization with each channel/message.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00616","_id":"capec_mitigation/capec_mitigation_00616","_rev":"_dVfOKdW--L","original_id":"217","name":"Exploiting Incorrectly Configured SSL","metadata":"Usage of configuration settings, such as stream ciphers vs. block ciphers and setting timeouts on SSL sessions to extremely low values lessens the potential impact. Use of later versions of TLS (e.g. TLS 1.1+) can also be effective, but not all clients or servers support the later versions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00617","_id":"capec_mitigation/capec_mitigation_00617","_rev":"_dVfOKdW--M","original_id":"218","name":"Spoofing of UDDI/ebXML Messages","metadata":"Implementation: Clients should only trust UDDI, ebXML, or similar messages that are verifiably signed by a trusted party.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00618","_id":"capec_mitigation/capec_mitigation_00618","_rev":"_dVfOKdW--N","original_id":"219","name":"XML Routing Detour Attacks","metadata":"Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00619","_id":"capec_mitigation/capec_mitigation_00619","_rev":"_dVfOKdW--O","original_id":"219","name":"XML Routing Detour Attacks","metadata":"Implementation: Use SSL for connections between all parties with mutual authentication.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00620","_id":"capec_mitigation/capec_mitigation_00620","_rev":"_dVfOKdW--P","original_id":"221","name":"Data Serialization External Entities Blowup","metadata":"This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00621","_id":"capec_mitigation/capec_mitigation_00621","_rev":"_dVfOKdW--Q","original_id":"221","name":"Data Serialization External Entities Blowup","metadata":"This attack may be mitigated by tweaking the serialized data parser to not resolve external entities. If external entities are needed, then implement a custom resolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00622","_id":"capec_mitigation/capec_mitigation_00622","_rev":"_dVfOKdW--R","original_id":"222","name":"iFrame Overlay","metadata":"Configuration: Disable iFrames in the Web browser.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00623","_id":"capec_mitigation/capec_mitigation_00623","_rev":"_dVfOKdW--S","original_id":"222","name":"iFrame Overlay","metadata":"Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00624","_id":"capec_mitigation/capec_mitigation_00624","_rev":"_dVfOKdW--T","original_id":"222","name":"iFrame Overlay","metadata":"Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00625","_id":"capec_mitigation/capec_mitigation_00625","_rev":"_dVfOKdW--U","original_id":"224","name":"Fingerprinting","metadata":"While some information is shared by systems automatically based on standards and protocols, remove potentially sensitive information that is not necessary for the application's functionality as much as possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00626","_id":"capec_mitigation/capec_mitigation_00626","_rev":"_dVfOKdW--V","original_id":"227","name":"Sustained Client Engagement","metadata":"Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00627","_id":"capec_mitigation/capec_mitigation_00627","_rev":"_dVfOKdW--W","original_id":"228","name":"DTD Injection","metadata":"Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00628","_id":"capec_mitigation/capec_mitigation_00628","_rev":"_dVfOKdW--X","original_id":"228","name":"DTD Injection","metadata":"Implementation: Disallow the inclusion of DTDs as part of incoming messages.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00629","_id":"capec_mitigation/capec_mitigation_00629","_rev":"_dVfOKdW--Y","original_id":"228","name":"DTD Injection","metadata":"Implementation: Use XML parsing tools that protect against DTD attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00630","_id":"capec_mitigation/capec_mitigation_00630","_rev":"_dVfOKdW--Z","original_id":"229","name":"Serialized Data Parameter Blowup","metadata":"This attack may be mitigated completely by using a parser that is not using a vulnerable container.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00631","_id":"capec_mitigation/capec_mitigation_00631","_rev":"_dVfOKdW--a","original_id":"229","name":"Serialized Data Parameter Blowup","metadata":"Mitigation may limit the number of configuration parameters per dataset.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00632","_id":"capec_mitigation/capec_mitigation_00632","_rev":"_dVfOKdW--b","original_id":"230","name":"Serialized Data with Nested Payloads","metadata":"Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00633","_id":"capec_mitigation/capec_mitigation_00633","_rev":"_dVfOKdW--c","original_id":"230","name":"Serialized Data with Nested Payloads","metadata":"Perform validation on canonical data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00634","_id":"capec_mitigation/capec_mitigation_00634","_rev":"_dVfOKdW--d","original_id":"230","name":"Serialized Data with Nested Payloads","metadata":"Pick a robust implementation of the data parser.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00636","_id":"capec_mitigation/capec_mitigation_00636","_rev":"_dVfOKdW--e","original_id":"231","name":"Oversized Serialized Data Payloads","metadata":"Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00637","_id":"capec_mitigation/capec_mitigation_00637","_rev":"_dVfOKdW--f","original_id":"231","name":"Oversized Serialized Data Payloads","metadata":"Perform validation on canonical data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00638","_id":"capec_mitigation/capec_mitigation_00638","_rev":"_dVfOKdW--g","original_id":"231","name":"Oversized Serialized Data Payloads","metadata":"Pick a robust implementation of the serialized data parser.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00639","_id":"capec_mitigation/capec_mitigation_00639","_rev":"_dVfOKdW--h","original_id":"231","name":"Oversized Serialized Data Payloads","metadata":"Validate data against a valid schema or DTD prior to parsing.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00641","_id":"capec_mitigation/capec_mitigation_00641","_rev":"_dVfOKdW--i","original_id":"237","name":"Escaping a Sandbox by Calling Code in Another Language","metadata":"Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00642","_id":"capec_mitigation/capec_mitigation_00642","_rev":"_dVfOKdW--j","original_id":"237","name":"Escaping a Sandbox by Calling Code in Another Language","metadata":"Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00643","_id":"capec_mitigation/capec_mitigation_00643","_rev":"_dVfOKdW--k","original_id":"237","name":"Escaping a Sandbox by Calling Code in Another Language","metadata":"Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00644","_id":"capec_mitigation/capec_mitigation_00644","_rev":"_dVfOKdW--l","original_id":"237","name":"Escaping a Sandbox by Calling Code in Another Language","metadata":"Configuration: Get latest updates for the computer.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00645","_id":"capec_mitigation/capec_mitigation_00645","_rev":"_dVfOKdW--m","original_id":"240","name":"Resource Injection","metadata":"Ensure all input content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00646","_id":"capec_mitigation/capec_mitigation_00646","_rev":"_dVfOKdW--n","original_id":"240","name":"Resource Injection","metadata":"Perform input validation for all content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00647","_id":"capec_mitigation/capec_mitigation_00647","_rev":"_dVfOKdW--o","original_id":"240","name":"Resource Injection","metadata":"Enforce regular patching of software.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00648","_id":"capec_mitigation/capec_mitigation_00648","_rev":"_dVfOKdW--p","original_id":"242","name":"Code Injection","metadata":"Utilize strict type, character, and encoding enforcement","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00649","_id":"capec_mitigation/capec_mitigation_00649","_rev":"_dVfOKdW--q","original_id":"242","name":"Code Injection","metadata":"Ensure all input content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00650","_id":"capec_mitigation/capec_mitigation_00650","_rev":"_dVfOKdW--r","original_id":"242","name":"Code Injection","metadata":"Perform input validation for all content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00651","_id":"capec_mitigation/capec_mitigation_00651","_rev":"_dVfOKdW--s","original_id":"242","name":"Code Injection","metadata":"Enforce regular patching of software.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00652","_id":"capec_mitigation/capec_mitigation_00652","_rev":"_dVfOKdW--t","original_id":"243","name":"XSS Targeting HTML Attributes","metadata":"Design: Use libraries and templates that minimize unfiltered input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00653","_id":"capec_mitigation/capec_mitigation_00653","_rev":"_dVfOKdW--u","original_id":"243","name":"XSS Targeting HTML Attributes","metadata":"Implementation: Normalize, filter and use an allowlist for all input including that which is not expected to have any scripting content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00654","_id":"capec_mitigation/capec_mitigation_00654","_rev":"_dVfOKdW--v","original_id":"243","name":"XSS Targeting HTML Attributes","metadata":"Implementation: The victim should configure the browser to minimize active content from untrusted sources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00655","_id":"capec_mitigation/capec_mitigation_00655","_rev":"_dVfOKdW--w","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Design: Use browser technologies that do not allow client side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00656","_id":"capec_mitigation/capec_mitigation_00656","_rev":"_dVfOKdW--x","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Design: Utilize strict type, character, and encoding enforcement.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00657","_id":"capec_mitigation/capec_mitigation_00657","_rev":"_dVfOKdW--y","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00658","_id":"capec_mitigation/capec_mitigation_00658","_rev":"_dVfOKdW--z","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00659","_id":"capec_mitigation/capec_mitigation_00659","_rev":"_dVfOKdW--0","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Implementation: Perform input validation for all remote content, including remote and user-generated content","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00660","_id":"capec_mitigation/capec_mitigation_00660","_rev":"_dVfOKdW--1","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Implementation: Perform output validation for all remote content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00661","_id":"capec_mitigation/capec_mitigation_00661","_rev":"_dVfOKdW--2","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Implementation: Disable scripting languages such as JavaScript in browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00662","_id":"capec_mitigation/capec_mitigation_00662","_rev":"_dVfOKdW--3","original_id":"244","name":"XSS Targeting URI Placeholders","metadata":"Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00663","_id":"capec_mitigation/capec_mitigation_00663","_rev":"_dVfOKdW--4","original_id":"245","name":"XSS Using Doubled Characters","metadata":"Design: Use libraries and templates that minimize unfiltered input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00664","_id":"capec_mitigation/capec_mitigation_00664","_rev":"_dVfOKdW--5","original_id":"245","name":"XSS Using Doubled Characters","metadata":"Implementation: Normalize, filter and sanitize all user supplied fields.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00665","_id":"capec_mitigation/capec_mitigation_00665","_rev":"_dVfOKdW--6","original_id":"245","name":"XSS Using Doubled Characters","metadata":"Implementation: The victim should configure the browser to minimize active content from untrusted sources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00666","_id":"capec_mitigation/capec_mitigation_00666","_rev":"_dVfOKdW--7","original_id":"247","name":"XSS Using Invalid Characters","metadata":"Design: Use libraries and templates that minimize unfiltered input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00667","_id":"capec_mitigation/capec_mitigation_00667","_rev":"_dVfOKdW--8","original_id":"247","name":"XSS Using Invalid Characters","metadata":"Implementation: Normalize, filter and use an allowlist for any input that will be included in any subsequent web pages or back end operations.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00668","_id":"capec_mitigation/capec_mitigation_00668","_rev":"_dVfOKdW--9","original_id":"247","name":"XSS Using Invalid Characters","metadata":"Implementation: The victim should configure the browser to minimize active content from untrusted sources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00669","_id":"capec_mitigation/capec_mitigation_00669","_rev":"_dVfOKdW-_-","original_id":"248","name":"Command Injection","metadata":"All user-controllable input should be validated and filtered for potentially unwanted characters. Using an allowlist for input is desired, but if use of a denylist approach is necessary, then focusing on command related terms and delimiters is necessary.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00670","_id":"capec_mitigation/capec_mitigation_00670","_rev":"_dVfOKdW-__","original_id":"248","name":"Command Injection","metadata":"Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00671","_id":"capec_mitigation/capec_mitigation_00671","_rev":"_dVfOKdW-_A","original_id":"248","name":"Command Injection","metadata":"Input should be parameterized, or restricted to data sections of a command, thus removing the chance that the input will be treated as part of the command itself.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00672","_id":"capec_mitigation/capec_mitigation_00672","_rev":"_dVfOKdW-_B","original_id":"250","name":"XML Injection","metadata":"Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XML data or a query.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00673","_id":"capec_mitigation/capec_mitigation_00673","_rev":"_dVfOKdW-_C","original_id":"250","name":"XML Injection","metadata":"Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00675","_id":"capec_mitigation/capec_mitigation_00675","_rev":"_dVfOKdW-_D","original_id":"251","name":"Local Code Inclusion","metadata":"Implementation: Avoid passing user input to filesystem or framework API. If necessary to do so, implement a specific, allowlist approach.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00676","_id":"capec_mitigation/capec_mitigation_00676","_rev":"_dVfOKdW-_E","original_id":"253","name":"Remote Code Inclusion","metadata":"Minimize attacks by input validation and sanitization of any user data that will be used by the target application to locate a remote file to be included.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00677","_id":"capec_mitigation/capec_mitigation_00677","_rev":"_dVfOKdW-_F","original_id":"256","name":"SOAP Array Overflow","metadata":"If the server either verifies the correctness of the stated array size or if the server stops processing an array once the stated number of elements have been read, regardless of the actual array size, then this attack will fail. The former detects the malformed SOAP message while the latter ensures that the server does not attempt to load more data than was allocated for.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00678","_id":"capec_mitigation/capec_mitigation_00678","_rev":"_dVfOKdW-_G","original_id":"267","name":"Leverage Alternate Encoding","metadata":"Assume all input might use an improper representation. Use canonicalized data inside the application; all data must be converted into the representation used inside the application (UTF-8, UTF-16, etc.)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00679","_id":"capec_mitigation/capec_mitigation_00679","_rev":"_dVfOKdW-_H","original_id":"267","name":"Leverage Alternate Encoding","metadata":"Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00680","_id":"capec_mitigation/capec_mitigation_00680","_rev":"_dVfOKdW-_I","original_id":"270","name":"Modification of Registry Run Keys","metadata":"Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00681","_id":"capec_mitigation/capec_mitigation_00681","_rev":"_dVfOKda---","original_id":"271","name":"Schema Poisoning","metadata":"Design: Protect the schema against unauthorized modification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00682","_id":"capec_mitigation/capec_mitigation_00682","_rev":"_dVfOKda--_","original_id":"271","name":"Schema Poisoning","metadata":"Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the schema document.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00683","_id":"capec_mitigation/capec_mitigation_00683","_rev":"_dVfOKda--A","original_id":"271","name":"Schema Poisoning","metadata":"Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00684","_id":"capec_mitigation/capec_mitigation_00684","_rev":"_dVfOKda--B","original_id":"273","name":"HTTP Response Smuggling","metadata":"Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00685","_id":"capec_mitigation/capec_mitigation_00685","_rev":"_dVfOKda--C","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: front-end HTTP agents notice ambiguous requests.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00686","_id":"capec_mitigation/capec_mitigation_00686","_rev":"_dVfOKda--D","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00687","_id":"capec_mitigation/capec_mitigation_00687","_rev":"_dVfOKda--E","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Disable reuse of back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00688","_id":"capec_mitigation/capec_mitigation_00688","_rev":"_dVfOKda--F","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Use HTTP/2 for back-end connections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00689","_id":"capec_mitigation/capec_mitigation_00689","_rev":"_dVfOKda--G","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Use the same web server software for front-end and back-end server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00690","_id":"capec_mitigation/capec_mitigation_00690","_rev":"_dVfOKda--H","original_id":"273","name":"HTTP Response Smuggling","metadata":"Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00691","_id":"capec_mitigation/capec_mitigation_00691","_rev":"_dVfOKda--I","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00692","_id":"capec_mitigation/capec_mitigation_00692","_rev":"_dVfOKda--J","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00693","_id":"capec_mitigation/capec_mitigation_00693","_rev":"_dVfOKda--K","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:\n Headers with no space before the value “chunked”\n Headers with extra spaces\n Headers beginning with trailing characters\n Headers providing a value “chunk” instead of “chunked” (the server normalizes this as chunked encoding)\n Headers with multiple spaces before the value “chunked”\n Headers with quoted values (whether single or double quotations)\n Headers with CRLF characters before the value “chunked”\n Values with invalid characters\n \n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00694","_id":"capec_mitigation/capec_mitigation_00694","_rev":"_dVfOKda--L","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00695","_id":"capec_mitigation/capec_mitigation_00695","_rev":"_dVfOKda--M","original_id":"273","name":"HTTP Response Smuggling","metadata":"Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00696","_id":"capec_mitigation/capec_mitigation_00696","_rev":"_dVfOKda--N","original_id":"273","name":"HTTP Response Smuggling","metadata":"Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00698","_id":"capec_mitigation/capec_mitigation_00698","_rev":"_dVfOKda--O","original_id":"274","name":"HTTP Verb Tampering","metadata":"Design: Ensure that only legitimate HTTP verbs are allowed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00699","_id":"capec_mitigation/capec_mitigation_00699","_rev":"_dVfOKda--P","original_id":"274","name":"HTTP Verb Tampering","metadata":"Design: Do not use HTTP verbs as factors in access decisions.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00700","_id":"capec_mitigation/capec_mitigation_00700","_rev":"_dVfOKda--Q","original_id":"275","name":"DNS Rebinding","metadata":"Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00701","_id":"capec_mitigation/capec_mitigation_00701","_rev":"_dVfOKda--R","original_id":"275","name":"DNS Rebinding","metadata":"Implementation: Reject HTTP request with a malicious Host header.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00702","_id":"capec_mitigation/capec_mitigation_00702","_rev":"_dVfOKda--S","original_id":"275","name":"DNS Rebinding","metadata":"Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00703","_id":"capec_mitigation/capec_mitigation_00703","_rev":"_dVfOKda--T","original_id":"278","name":"Web Services Protocol Manipulation","metadata":"Design: Range, size and value and consistency verification for any arguments supplied to applications and services from external sources and devise appropriate error response.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00704","_id":"capec_mitigation/capec_mitigation_00704","_rev":"_dVfOKda--U","original_id":"278","name":"Web Services Protocol Manipulation","metadata":"Design: Ensure that function calls that should not be called by an unprivileged user are not accessible to them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00705","_id":"capec_mitigation/capec_mitigation_00705","_rev":"_dVfOKda--V","original_id":"285","name":"ICMP Echo Request Ping","metadata":"Consider configuring firewall rules to block ICMP Echo requests and prevent replies. If not practical, monitor and consider action when a system has fast and a repeated pattern of requests that move incrementally through port numbers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00706","_id":"capec_mitigation/capec_mitigation_00706","_rev":"_dVfOKda--W","original_id":"297","name":"TCP ACK Ping","metadata":"Leverage stateful firewalls that allow for the rejection of a packet that is not part of an existing connection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00707","_id":"capec_mitigation/capec_mitigation_00707","_rev":"_dVfOKda--X","original_id":"298","name":"UDP Ping","metadata":"Configure your firewall to block egress ICMP messages.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00708","_id":"capec_mitigation/capec_mitigation_00708","_rev":"_dVfOKda--Y","original_id":"301","name":"TCP Connect Scan","metadata":"Employ a robust network defense posture that includes an IDS/IPS system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00709","_id":"capec_mitigation/capec_mitigation_00709","_rev":"_dVfOKda--Z","original_id":"302","name":"TCP FIN Scan","metadata":"FIN scans are detected via heuristic (non-signature) based algorithms, much in the same way as other scan types are detected. An IDS/IPS system with heuristic algorithms is required to detect them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00710","_id":"capec_mitigation/capec_mitigation_00710","_rev":"_dVfOKda--a","original_id":"303","name":"TCP Xmas Scan","metadata":"Employ a robust network defensive posture that includes a managed IDS/IPS.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00711","_id":"capec_mitigation/capec_mitigation_00711","_rev":"_dVfOKda--b","original_id":"304","name":"TCP Null Scan","metadata":"Employ a robust network defensive posture that includes a managed IDS/IPS.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00712","_id":"capec_mitigation/capec_mitigation_00712","_rev":"_dVfOKda--c","original_id":"307","name":"TCP RPC Scan","metadata":"Typically, an IDS/IPS system is very effective against this type of attack.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00713","_id":"capec_mitigation/capec_mitigation_00713","_rev":"_dVfOKda--d","original_id":"308","name":"UDP Scan","metadata":"Firewalls or ACLs which block egress ICMP error types effectively prevent UDP scans from returning any useful information.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00714","_id":"capec_mitigation/capec_mitigation_00714","_rev":"_dVfOKda--e","original_id":"308","name":"UDP Scan","metadata":"UDP scanning is complicated by rate limiting mechanisms governing ICMP error messages.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00715","_id":"capec_mitigation/capec_mitigation_00715","_rev":"_dVfOKda--f","original_id":"383","name":"Harvesting Information via API Event Monitoring","metadata":"Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00716","_id":"capec_mitigation/capec_mitigation_00716","_rev":"_dVfOKda--g","original_id":"407","name":"Pretexting","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00717","_id":"capec_mitigation/capec_mitigation_00717","_rev":"_dVfOKda--h","original_id":"416","name":"Manipulate Human Behavior","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00718","_id":"capec_mitigation/capec_mitigation_00718","_rev":"_dVfOKda--i","original_id":"417","name":"Influence Perception","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00719","_id":"capec_mitigation/capec_mitigation_00719","_rev":"_dVfOKda--j","original_id":"418","name":"Influence Perception of Reciprocation","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00720","_id":"capec_mitigation/capec_mitigation_00720","_rev":"_dVfOKda--k","original_id":"420","name":"Influence Perception of Scarcity","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00721","_id":"capec_mitigation/capec_mitigation_00721","_rev":"_dVfOKda--l","original_id":"421","name":"Influence Perception of Authority","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00722","_id":"capec_mitigation/capec_mitigation_00722","_rev":"_dVfOKda--m","original_id":"422","name":"Influence Perception of Commitment and Consistency","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00723","_id":"capec_mitigation/capec_mitigation_00723","_rev":"_dVfOKda--n","original_id":"422","name":"Influence Perception of Commitment and Consistency","metadata":"Individuals should avoid complying with suspicious requests.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00724","_id":"capec_mitigation/capec_mitigation_00724","_rev":"_dVfOKda--o","original_id":"423","name":"Influence Perception of Liking","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00725","_id":"capec_mitigation/capec_mitigation_00725","_rev":"_dVfOKda--p","original_id":"424","name":"Influence Perception of Consensus or Social Proof","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00726","_id":"capec_mitigation/capec_mitigation_00726","_rev":"_dVfOKda--q","original_id":"425","name":"Target Influence via Framing","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00727","_id":"capec_mitigation/capec_mitigation_00727","_rev":"_dVfOKda--r","original_id":"425","name":"Target Influence via Framing","metadata":"Avoid sharing unnecessary information during interactions beyond what is absolutely required for effective communication.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00728","_id":"capec_mitigation/capec_mitigation_00728","_rev":"_dVfOKda--s","original_id":"426","name":"Influence via Incentives","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00729","_id":"capec_mitigation/capec_mitigation_00729","_rev":"_dVfOKda--t","original_id":"427","name":"Influence via Psychological Principles","metadata":"An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00730","_id":"capec_mitigation/capec_mitigation_00730","_rev":"_dVfOKda--u","original_id":"442","name":"Infected Software","metadata":"Leverage anti-virus products to detect and quarantine software with known virus.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00731","_id":"capec_mitigation/capec_mitigation_00731","_rev":"_dVfOKda--v","original_id":"443","name":"Malicious Logic Inserted Into Product Software by Authorized Developer","metadata":"Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00732","_id":"capec_mitigation/capec_mitigation_00732","_rev":"_dVfOKda--w","original_id":"444","name":"Development Alteration","metadata":"Assess software and software components during development and prior to deployment to ensure that they function as intended and without any malicious functionality.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00733","_id":"capec_mitigation/capec_mitigation_00733","_rev":"_dVfOKde---","original_id":"445","name":"Malicious Logic Insertion into Product Software via Configuration Management Manipulation","metadata":"Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00734","_id":"capec_mitigation/capec_mitigation_00734","_rev":"_dVfOKde--_","original_id":"445","name":"Malicious Logic Insertion into Product Software via Configuration Management Manipulation","metadata":"Leverage anti-virus products to detect and quarantine software with known virus.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00735","_id":"capec_mitigation/capec_mitigation_00735","_rev":"_dVfOKde--A","original_id":"446","name":"Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency","metadata":"Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00736","_id":"capec_mitigation/capec_mitigation_00736","_rev":"_dVfOKde--B","original_id":"447","name":"Design Alteration","metadata":"Assess design documentation prior to development to ensure that they function as intended and without any malicious functionality.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00737","_id":"capec_mitigation/capec_mitigation_00737","_rev":"_dVfOKde--C","original_id":"447","name":"Design Alteration","metadata":"Ensure that design documentation is saved in a secure location and has proper access controls set in place to avoid unnecessary modification.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00738","_id":"capec_mitigation/capec_mitigation_00738","_rev":"_dVfOKde--D","original_id":"448","name":"Embed Virus into DLL","metadata":"Leverage anti-virus products to detect and quarantine software with known virus.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00739","_id":"capec_mitigation/capec_mitigation_00739","_rev":"_dVfOKde--E","original_id":"456","name":"Infected Memory","metadata":"Leverage anti-virus products to detect stop operations with known virus.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00740","_id":"capec_mitigation/capec_mitigation_00740","_rev":"_dVfOKde--F","original_id":"457","name":"USB Memory Attacks","metadata":"Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00741","_id":"capec_mitigation/capec_mitigation_00741","_rev":"_dVfOKde--G","original_id":"457","name":"USB Memory Attacks","metadata":"Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00742","_id":"capec_mitigation/capec_mitigation_00742","_rev":"_dVfOKde--H","original_id":"457","name":"USB Memory Attacks","metadata":"Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00743","_id":"capec_mitigation/capec_mitigation_00743","_rev":"_dVfOKde--I","original_id":"459","name":"Creating a Rogue Certification Authority Certificate","metadata":"Certification Authorities need to stop using deprecated or cryptographically insecure hashing algorithms to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00744","_id":"capec_mitigation/capec_mitigation_00744","_rev":"_dVfOKde--J","original_id":"460","name":"HTTP Parameter Pollution (HPP)","metadata":"Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00745","_id":"capec_mitigation/capec_mitigation_00745","_rev":"_dVfOKde--K","original_id":"460","name":"HTTP Parameter Pollution (HPP)","metadata":"Design: Perform URL encoding","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00746","_id":"capec_mitigation/capec_mitigation_00746","_rev":"_dVfOKde--L","original_id":"460","name":"HTTP Parameter Pollution (HPP)","metadata":"Implementation: Use strict regular expressions in URL rewriting","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00747","_id":"capec_mitigation/capec_mitigation_00747","_rev":"_dVfOKde--M","original_id":"460","name":"HTTP Parameter Pollution (HPP)","metadata":"Implementation: Beware of multiple occurrences of a parameter in a Query String","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00748","_id":"capec_mitigation/capec_mitigation_00748","_rev":"_dVfOKde--N","original_id":"461","name":"Web Services API Signature Forgery Leveraging Hash Function Extension Weakness","metadata":"Design: Use a secure message authentication code (MAC) function such as an HMAC-SHA1","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00749","_id":"capec_mitigation/capec_mitigation_00749","_rev":"_dVfOKde--O","original_id":"462","name":"Cross-Domain Search Timing","metadata":"Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00750","_id":"capec_mitigation/capec_mitigation_00750","_rev":"_dVfOKde--P","original_id":"462","name":"Cross-Domain Search Timing","metadata":"Design: The browser's security model could be fixed to not leak timing information for cross domain requests","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00751","_id":"capec_mitigation/capec_mitigation_00751","_rev":"_dVfOKde--Q","original_id":"463","name":"Padding Oracle Crypto Attack","metadata":"Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00752","_id":"capec_mitigation/capec_mitigation_00752","_rev":"_dVfOKde--R","original_id":"463","name":"Padding Oracle Crypto Attack","metadata":"Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00753","_id":"capec_mitigation/capec_mitigation_00753","_rev":"_dVfOKde--S","original_id":"464","name":"Evercookie","metadata":"Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00754","_id":"capec_mitigation/capec_mitigation_00754","_rev":"_dVfOKde--T","original_id":"464","name":"Evercookie","metadata":"Design: Safari browser's private browsing mode is currently effective against evercookies.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00755","_id":"capec_mitigation/capec_mitigation_00755","_rev":"_dVfOKde--U","original_id":"465","name":"Transparent Proxy Abuse","metadata":"Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00756","_id":"capec_mitigation/capec_mitigation_00756","_rev":"_dVfOKde--V","original_id":"465","name":"Transparent Proxy Abuse","metadata":"Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00757","_id":"capec_mitigation/capec_mitigation_00757","_rev":"_dVfOKde--W","original_id":"466","name":"Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy","metadata":"Design: Tunnel communications through a secure proxy","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00758","_id":"capec_mitigation/capec_mitigation_00758","_rev":"_dVfOKde--X","original_id":"466","name":"Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy","metadata":"Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00759","_id":"capec_mitigation/capec_mitigation_00759","_rev":"_dVfOKde--Y","original_id":"467","name":"Cross Site Identification","metadata":"Usage: Users should always explicitly log out from the social networking sites when done using them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00760","_id":"capec_mitigation/capec_mitigation_00760","_rev":"_dVfOKde--Z","original_id":"467","name":"Cross Site Identification","metadata":"Usage: Users should not open other tabs in the browser when using a social networking site.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00761","_id":"capec_mitigation/capec_mitigation_00761","_rev":"_dVfOKde--a","original_id":"468","name":"Generic Cross-Browser Cross-Domain Theft","metadata":"Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00762","_id":"capec_mitigation/capec_mitigation_00762","_rev":"_dVfOKde--b","original_id":"468","name":"Generic Cross-Browser Cross-Domain Theft","metadata":"Implementation: Perform proper HTML encoding and URL escaping","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00763","_id":"capec_mitigation/capec_mitigation_00763","_rev":"_dVfOKde--c","original_id":"469","name":"HTTP DoS","metadata":"Configuration: Configure web server software to limit the waiting period on opened HTTP sessions","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00764","_id":"capec_mitigation/capec_mitigation_00764","_rev":"_dVfOKde--d","original_id":"469","name":"HTTP DoS","metadata":"Design: Use load balancing mechanisms","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00765","_id":"capec_mitigation/capec_mitigation_00765","_rev":"_dVfOKde--e","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Design: Follow the defensive programming practices needed to protect an application accessing the database from SQL injection","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00766","_id":"capec_mitigation/capec_mitigation_00766","_rev":"_dVfOKde--f","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Configuration: Ensure that the DBMS is patched with the latest security patches","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00767","_id":"capec_mitigation/capec_mitigation_00767","_rev":"_dVfOKde--g","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Design: Ensure that the DBMS login used by the application has the lowest possible level of privileges in the DBMS","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00768","_id":"capec_mitigation/capec_mitigation_00768","_rev":"_dVfOKde--h","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Design: Ensure that DBMS runs with the lowest possible level of privileges on the host machine and that it runs as a separate user","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00769","_id":"capec_mitigation/capec_mitigation_00769","_rev":"_dVfOKde--i","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Usage: Do not use the DBMS machine for anything else other than the database","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00770","_id":"capec_mitigation/capec_mitigation_00770","_rev":"_dVfOKde--j","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Usage: Do not place any trust in the database host on the internal network. Authenticate and validate all network activity originating from the database host.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00771","_id":"capec_mitigation/capec_mitigation_00771","_rev":"_dVfOKde--k","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Usage: Use an intrusion detection system to monitor network connections and logs on the database host.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00772","_id":"capec_mitigation/capec_mitigation_00772","_rev":"_dVfOKde--l","original_id":"470","name":"Expanding Control over the Operating System from the Database","metadata":"Implementation: Remove / disable all unneeded / unused functions of the DBMS system that may allow an attacker to elevate privileges if compromised","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00773","_id":"capec_mitigation/capec_mitigation_00773","_rev":"_dVfOKde--m","original_id":"471","name":"Search Order Hijacking","metadata":"Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00774","_id":"capec_mitigation/capec_mitigation_00774","_rev":"_dVfOKde--n","original_id":"471","name":"Search Order Hijacking","metadata":"Design: Sign system DLLs so that unauthorized DLLs can be detected.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00775","_id":"capec_mitigation/capec_mitigation_00775","_rev":"_dVfOKde--o","original_id":"472","name":"Browser Fingerprinting","metadata":"Configuration: Disable Java Script in the browser","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00776","_id":"capec_mitigation/capec_mitigation_00776","_rev":"_dVfOKde--p","original_id":"474","name":"Signature Spoofing by Key Theft","metadata":"Restrict access to private keys from non-supervisory accounts","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00777","_id":"capec_mitigation/capec_mitigation_00777","_rev":"_dVfOKde--q","original_id":"474","name":"Signature Spoofing by Key Theft","metadata":"Restrict access to administrative personnel and processes only","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00778","_id":"capec_mitigation/capec_mitigation_00778","_rev":"_dVfOKde--r","original_id":"474","name":"Signature Spoofing by Key Theft","metadata":"Ensure all remote methods are secured","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00779","_id":"capec_mitigation/capec_mitigation_00779","_rev":"_dVfOKde--s","original_id":"474","name":"Signature Spoofing by Key Theft","metadata":"Ensure all services are patched and up to date","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00780","_id":"capec_mitigation/capec_mitigation_00780","_rev":"_dVfOKde--t","original_id":"475","name":"Signature Spoofing by Improper Validation","metadata":"Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00781","_id":"capec_mitigation/capec_mitigation_00781","_rev":"_dVfOKde--u","original_id":"476","name":"Signature Spoofing by Misrepresentation","metadata":"Ensure the application is using parsing and data display techniques that will accurately display control characters, international symbols and markings, and ultimately recognize potential homograph attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00782","_id":"capec_mitigation/capec_mitigation_00782","_rev":"_dVfOKde--v","original_id":"477","name":"Signature Spoofing by Mixing Signed and Unsigned Content","metadata":"Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00783","_id":"capec_mitigation/capec_mitigation_00783","_rev":"_dVfOKde--w","original_id":"478","name":"Modification of Windows Service Configuration","metadata":"Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00784","_id":"capec_mitigation/capec_mitigation_00784","_rev":"_dVfOKde--x","original_id":"480","name":"Escaping Virtualization","metadata":"Ensure virtualization software is current and up-to-date.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00785","_id":"capec_mitigation/capec_mitigation_00785","_rev":"_dVfOKde--y","original_id":"480","name":"Escaping Virtualization","metadata":"Abide by the least privilege principle to avoid assigning users more privileges than necessary.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00786","_id":"capec_mitigation/capec_mitigation_00786","_rev":"_dVfOKde--z","original_id":"481","name":"Contradictory Destinations in Traffic Routing Schemes","metadata":"Monitor connections, checking headers in traffic for contradictory domain names, or empty domain names.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00787","_id":"capec_mitigation/capec_mitigation_00787","_rev":"_dVfOKde--0","original_id":"482","name":"TCP Flood","metadata":"To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00788","_id":"capec_mitigation/capec_mitigation_00788","_rev":"_dVfOKde--1","original_id":"485","name":"Signature Spoofing by Key Recreation","metadata":"Ensure cryptographic elements have been sufficiently tested for weaknesses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00789","_id":"capec_mitigation/capec_mitigation_00789","_rev":"_dVfOKde--2","original_id":"486","name":"UDP Flood","metadata":"To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00790","_id":"capec_mitigation/capec_mitigation_00790","_rev":"_dVfOKde--3","original_id":"487","name":"ICMP Flood","metadata":"To mitigate this type of an attack, an organization can enable ingress filtering. Additionally modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00791","_id":"capec_mitigation/capec_mitigation_00791","_rev":"_dVfOKde--4","original_id":"488","name":"HTTP Flood","metadata":"To mitigate this type of an attack, an organization can monitor the typical traffic flow. When spikes in usage occur, filters could examine traffic for indicators of bad behavior with respect to the web servers, and then create firewall rules to deny the malicious IP addresses. These patterns in the filter could be a combination of trained behavior, knowledge of standards as they apply to the web server, known patterns, or anomaly detection. Firewalling source IPs works since the HTTP is sent using TCP so the source IP can't be spoofed; if the source IP is spoofed is, then it's not legitimate traffic. Special care should be taken care with rule sets to ensure low false positive rates along with a method at the application layer to allow a valid user to begin using the service again. Another possible solution is using 3rd party providers as they have experts, knowledge, experience, and resources to deal with the attack and mitigate it before hand or while it occurs. The best mitigation is preparation before an attack, but there is no bulletproof solution as with ample resources a brute force attack may succeed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00792","_id":"capec_mitigation/capec_mitigation_00792","_rev":"_dVfOKde--5","original_id":"489","name":"SSL Flood","metadata":"To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00793","_id":"capec_mitigation/capec_mitigation_00793","_rev":"_dVfOKde--6","original_id":"490","name":"Amplification","metadata":"To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00794","_id":"capec_mitigation/capec_mitigation_00794","_rev":"_dVfOKde--7","original_id":"491","name":"Quadratic Data Expansion","metadata":"Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00795","_id":"capec_mitigation/capec_mitigation_00795","_rev":"_dVfOKde--8","original_id":"491","name":"Quadratic Data Expansion","metadata":"Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00796","_id":"capec_mitigation/capec_mitigation_00796","_rev":"_dVfOKde--9","original_id":"492","name":"Regular Expression Exponential Blowup","metadata":"Test custom written Regex with fuzzing to determine if the Regex is a poor one. Add timeouts to processes that handle the Regex logic. If an evil Regex is found rewrite it as a good Regex.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00797","_id":"capec_mitigation/capec_mitigation_00797","_rev":"_dVfOKde-_-","original_id":"493","name":"SOAP Array Blowup","metadata":"Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00798","_id":"capec_mitigation/capec_mitigation_00798","_rev":"_dVfOKde-__","original_id":"494","name":"TCP Fragmentation","metadata":"This attack may be mitigated by enforcing rules at the router following the guidance of RFC1858. The essential part of the guidance is creating the following rule \"IF FO=1 and PROTOCOL=TCP then DROP PACKET\" as this mitigated both tiny fragment and overlapping fragment attacks in IPv4. In IPv6 overlapping(RFC5722) additional steps may be required such as deep packet inspection. The delayed fragments may be mitigated by enforcing a timeout on the transmission to receive all packets by a certain time since the first packet is received. According to RFC2460 IPv6 implementations should enforce a rule to discard all fragments if the fragments are not ALL received within 60 seconds of the FIRST arriving fragment.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00799","_id":"capec_mitigation/capec_mitigation_00799","_rev":"_dVfOKde-_A","original_id":"495","name":"UDP Fragmentation","metadata":"This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00800","_id":"capec_mitigation/capec_mitigation_00800","_rev":"_dVfOKde-_B","original_id":"496","name":"ICMP Fragmentation","metadata":"This attack may be mitigated through egress filtering based on ICMP payload so a network is a \"good neighbor\" to other networks. Bad IP implementations become patched, so using the proper version of a browser or OS is recommended.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00801","_id":"capec_mitigation/capec_mitigation_00801","_rev":"_dVfOKde-_C","original_id":"497","name":"File Discovery","metadata":"Leverage file protection mechanisms to render these files accessible only to authorized parties.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00802","_id":"capec_mitigation/capec_mitigation_00802","_rev":"_dVfOKde-_D","original_id":"498","name":"Probe iOS Screenshots","metadata":"To mitigate this type of an attack, an application that may display sensitive information should clear the screen contents before a screenshot is taken. This can be accomplished by setting the key window's hidden property to YES. This code to hide the contents should be placed in both the applicationWillResignActive() and applicationDidEnterBackground() methods.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00803","_id":"capec_mitigation/capec_mitigation_00803","_rev":"_dVfOKde-_E","original_id":"499","name":"Android Intent Intercept","metadata":"To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00804","_id":"capec_mitigation/capec_mitigation_00804","_rev":"_dVfOKde-_F","original_id":"500","name":"WebView Injection","metadata":"The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00805","_id":"capec_mitigation/capec_mitigation_00805","_rev":"_dVfOKde-_G","original_id":"501","name":"Android Activity Hijack","metadata":"To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An 'explicit intent' is delivered to a specific application as declared within the intent, whereas an 'implicit intent' is directed to an application as defined by the Android operating system. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly (i.e., with appropriate security controls).","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00806","_id":"capec_mitigation/capec_mitigation_00806","_rev":"_dVfOKde-_H","original_id":"501","name":"Android Activity Hijack","metadata":"Never use implicit intents for inter-application communication.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00807","_id":"capec_mitigation/capec_mitigation_00807","_rev":"_dVfOKde-_I","original_id":"502","name":"Intent Spoof","metadata":"To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components. If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00808","_id":"capec_mitigation/capec_mitigation_00808","_rev":"_dVfOKde-_J","original_id":"503","name":"WebView Exposure","metadata":"To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00809","_id":"capec_mitigation/capec_mitigation_00809","_rev":"_dVfOKde-_K","original_id":"504","name":"Task Impersonation","metadata":"The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00811","_id":"capec_mitigation/capec_mitigation_00811","_rev":"_dVfOKde-_L","original_id":"505","name":"Scheme Squatting","metadata":"The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00812","_id":"capec_mitigation/capec_mitigation_00812","_rev":"_dVfOKde-_M","original_id":"507","name":"Physical Theft","metadata":"To mitigate this type of attack, physical security techniques such as locks doors, alarms, and monitoring of targets should be implemented.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00813","_id":"capec_mitigation/capec_mitigation_00813","_rev":"_dVfOKde-_N","original_id":"508","name":"Shoulder Surfing","metadata":"Be mindful of your surroundings when discussing or viewing sensitive information in public areas.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00814","_id":"capec_mitigation/capec_mitigation_00814","_rev":"_dVfOKde-_O","original_id":"508","name":"Shoulder Surfing","metadata":"Pertaining to insider threats, ensure that sensitive information is not displayed to nor discussed around individuals without need-to-know access to said information.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00815","_id":"capec_mitigation/capec_mitigation_00815","_rev":"_dVfOKde-_P","original_id":"509","name":"Kerberoasting","metadata":"Monitor system and domain logs for abnormal access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00816","_id":"capec_mitigation/capec_mitigation_00816","_rev":"_dVfOKde-_Q","original_id":"509","name":"Kerberoasting","metadata":"Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00817","_id":"capec_mitigation/capec_mitigation_00817","_rev":"_dVfOKdi---","original_id":"509","name":"Kerberoasting","metadata":"Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00818","_id":"capec_mitigation/capec_mitigation_00818","_rev":"_dVfOKdi--_","original_id":"509","name":"Kerberoasting","metadata":"Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00819","_id":"capec_mitigation/capec_mitigation_00819","_rev":"_dVfOKdi--A","original_id":"510","name":"SaaS User Request Forgery","metadata":"To limit one's exposure to this type of attack, tunnel communications through a secure proxy service.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00820","_id":"capec_mitigation/capec_mitigation_00820","_rev":"_dVfOKdi--B","original_id":"510","name":"SaaS User Request Forgery","metadata":"Detection of this type of attack can be done through heuristic analysis of behavioral anomalies (a la credit card fraud detection) which can be used to identify inhuman behavioral patterns. (e.g., spidering)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00821","_id":"capec_mitigation/capec_mitigation_00821","_rev":"_dVfOKdi--C","original_id":"522","name":"Malicious Hardware Component Replacement","metadata":"Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00822","_id":"capec_mitigation/capec_mitigation_00822","_rev":"_dVfOKdi--D","original_id":"522","name":"Malicious Hardware Component Replacement","metadata":"Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00823","_id":"capec_mitigation/capec_mitigation_00823","_rev":"_dVfOKdi--E","original_id":"522","name":"Malicious Hardware Component Replacement","metadata":"Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00824","_id":"capec_mitigation/capec_mitigation_00824","_rev":"_dVfOKdi--F","original_id":"528","name":"XML Flood","metadata":"Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00825","_id":"capec_mitigation/capec_mitigation_00825","_rev":"_dVfOKdi--G","original_id":"528","name":"XML Flood","metadata":"Implementation: Provide for network flow control and traffic shaping to control access to the resources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00827","_id":"capec_mitigation/capec_mitigation_00827","_rev":"_dVfOKdi--H","original_id":"529","name":"Malware-Directed Internal Reconnaissance","metadata":"Keep patches up to date by installing weekly or daily if possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00828","_id":"capec_mitigation/capec_mitigation_00828","_rev":"_dVfOKdi--I","original_id":"529","name":"Malware-Directed Internal Reconnaissance","metadata":"Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00829","_id":"capec_mitigation/capec_mitigation_00829","_rev":"_dVfOKdi--J","original_id":"536","name":"Data Injected During Configuration","metadata":"Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00830","_id":"capec_mitigation/capec_mitigation_00830","_rev":"_dVfOKdi--K","original_id":"546","name":"Incomplete Data Deletion in a Multi-Tenant Environment","metadata":"Cloud providers should completely delete data to render it irrecoverable and inaccessible from any layer and component of infrastructure resources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00831","_id":"capec_mitigation/capec_mitigation_00831","_rev":"_dVfOKdi--L","original_id":"546","name":"Incomplete Data Deletion in a Multi-Tenant Environment","metadata":"Deletion of data should be completed promptly when requested.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00832","_id":"capec_mitigation/capec_mitigation_00832","_rev":"_dVfOKdi--M","original_id":"549","name":"Local Execution of Code","metadata":"Employ robust cybersecurity training for all employees.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00833","_id":"capec_mitigation/capec_mitigation_00833","_rev":"_dVfOKdi--N","original_id":"549","name":"Local Execution of Code","metadata":"Implement system antivirus software that scans all attachments before opening them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00834","_id":"capec_mitigation/capec_mitigation_00834","_rev":"_dVfOKdi--O","original_id":"549","name":"Local Execution of Code","metadata":"Regularly patch all software.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00835","_id":"capec_mitigation/capec_mitigation_00835","_rev":"_dVfOKdi--P","original_id":"549","name":"Local Execution of Code","metadata":"Execute all suspicious files in a sandbox environment.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00836","_id":"capec_mitigation/capec_mitigation_00836","_rev":"_dVfOKdi--Q","original_id":"550","name":"Install New Service","metadata":"Limit privileges of user accounts so new service creation can only be performed by authorized administrators.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00837","_id":"capec_mitigation/capec_mitigation_00837","_rev":"_dVfOKdi--R","original_id":"551","name":"Modify Existing Service","metadata":"Limit privileges of user accounts so service changes can only be performed by authorized administrators. Also monitor any service changes that may occur inadvertently.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00838","_id":"capec_mitigation/capec_mitigation_00838","_rev":"_dVfOKdi--S","original_id":"552","name":"Install Rootkit ","metadata":"Prevent adversary access to privileged accounts necessary to install rootkits.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00839","_id":"capec_mitigation/capec_mitigation_00839","_rev":"_dVfOKdi--T","original_id":"555","name":"Remote Services with Stolen Credentials","metadata":"Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00840","_id":"capec_mitigation/capec_mitigation_00840","_rev":"_dVfOKdi--U","original_id":"556","name":"Replace File Extension Handlers","metadata":"Inspect registry for changes. Limit privileges of user accounts so changes to default file handlers can only be performed by authorized administrators.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00841","_id":"capec_mitigation/capec_mitigation_00841","_rev":"_dVfOKdi--V","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00842","_id":"capec_mitigation/capec_mitigation_00842","_rev":"_dVfOKdi--W","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Create a strong password policy and ensure that your system enforces this policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00843","_id":"capec_mitigation/capec_mitigation_00843","_rev":"_dVfOKdi--X","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Ensure users are not reusing username/password combinations for multiple systems, applications, or services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00844","_id":"capec_mitigation/capec_mitigation_00844","_rev":"_dVfOKdi--Y","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Do not reuse local administrator account credentials across systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00845","_id":"capec_mitigation/capec_mitigation_00845","_rev":"_dVfOKdi--Z","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Deny remote use of local admin credentials to log into domain systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00846","_id":"capec_mitigation/capec_mitigation_00846","_rev":"_dVfOKdi--a","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Do not allow accounts to be a local administrator on more than one system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00847","_id":"capec_mitigation/capec_mitigation_00847","_rev":"_dVfOKdi--b","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00848","_id":"capec_mitigation/capec_mitigation_00848","_rev":"_dVfOKdi--c","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Monitor system and domain logs for abnormal credential access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00854","_id":"capec_mitigation/capec_mitigation_00854","_rev":"_dVfOKdi--d","original_id":"561","name":"Windows Admin Shares with Stolen Credentials","metadata":"Do not reuse local administrator account credentials across systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00855","_id":"capec_mitigation/capec_mitigation_00855","_rev":"_dVfOKdi--e","original_id":"561","name":"Windows Admin Shares with Stolen Credentials","metadata":"Deny remote use of local admin credentials to log into domain systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00856","_id":"capec_mitigation/capec_mitigation_00856","_rev":"_dVfOKdi--f","original_id":"561","name":"Windows Admin Shares with Stolen Credentials","metadata":"Do not allow accounts to be a local administrator on more than one system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00860","_id":"capec_mitigation/capec_mitigation_00860","_rev":"_dVfOKdi--g","original_id":"562","name":"Modify Shared File","metadata":"Disallow shared content. Protect shared folders by minimizing users that have write access. Use utilities that mitigate exploitation like the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to prevent exploits from being run.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00861","_id":"capec_mitigation/capec_mitigation_00861","_rev":"_dVfOKdi--h","original_id":"563","name":"Add Malicious File to Shared Webroot","metadata":"Ensure proper permissions on directories that are accessible through a web server. Disallow remote access to the web root. Disable execution on directories within the web root. Ensure that permissions of the web server process are only what is required by not using built-in accounts and instead create specific accounts to limit unnecessary access or permissions overlap across multiple systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00862","_id":"capec_mitigation/capec_mitigation_00862","_rev":"_dVfOKdi--i","original_id":"564","name":"Run Software at Logon","metadata":"Restrict write access to logon scripts to necessary administrators.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00863","_id":"capec_mitigation/capec_mitigation_00863","_rev":"_dVfOKdi--j","original_id":"565","name":"Password Spraying","metadata":"Create a strong password policy and ensure that your system enforces this policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00864","_id":"capec_mitigation/capec_mitigation_00864","_rev":"_dVfOKdi--k","original_id":"565","name":"Password Spraying","metadata":"Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00865","_id":"capec_mitigation/capec_mitigation_00865","_rev":"_dVfOKdi--l","original_id":"565","name":"Password Spraying","metadata":"Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00869","_id":"capec_mitigation/capec_mitigation_00869","_rev":"_dVfOKdi--m","original_id":"568","name":"Capture Credentials via Keylogger","metadata":"Strong physical security can help reduce the ability of an adversary to install a keylogger.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00870","_id":"capec_mitigation/capec_mitigation_00870","_rev":"_dVfOKdi--n","original_id":"573","name":"Process Footprinting","metadata":"Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00871","_id":"capec_mitigation/capec_mitigation_00871","_rev":"_dVfOKdi--o","original_id":"574","name":"Services Footprinting","metadata":"Identify programs that may be used to acquire service information and block them by using a software restriction policy or tools that restrict program execution by uaing a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00872","_id":"capec_mitigation/capec_mitigation_00872","_rev":"_dVfOKdi--p","original_id":"575","name":"Account Footprinting","metadata":"Identify programs that may be used to acquire account information and block them by using a software restriction policy or tools that restrict program execution by uysing a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00873","_id":"capec_mitigation/capec_mitigation_00873","_rev":"_dVfOKdi--q","original_id":"576","name":"Group Permission Footprinting","metadata":"Identify programs (such as \"net\") that may be used to enumerate local group permissions and block them by using a software restriction Policy or tools that restrict program execution by using a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00874","_id":"capec_mitigation/capec_mitigation_00874","_rev":"_dVfOKdi--r","original_id":"577","name":"Owner Footprinting","metadata":"Ensure that proper permissions on files and folders are enacted to limit accessibility.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00875","_id":"capec_mitigation/capec_mitigation_00875","_rev":"_dVfOKdi--s","original_id":"578","name":"Disable Security Software","metadata":"Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00876","_id":"capec_mitigation/capec_mitigation_00876","_rev":"_dVfOKdi--t","original_id":"579","name":"Replace Winlogon Helper DLL","metadata":"Changes to registry entries in \"HKLM\\Software\\Microsoft\\Windows NT\\Winlogon\\Notify\" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00877","_id":"capec_mitigation/capec_mitigation_00877","_rev":"_dVfOKdi--u","original_id":"580","name":"System Footprinting","metadata":"Keep patches up to date by installing weekly or daily if possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00878","_id":"capec_mitigation/capec_mitigation_00878","_rev":"_dVfOKdi--v","original_id":"580","name":"System Footprinting","metadata":"Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00879","_id":"capec_mitigation/capec_mitigation_00879","_rev":"_dVfOKdi--w","original_id":"581","name":"Security Software Footprinting","metadata":"Identify programs that may be used to acquire security tool information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00880","_id":"capec_mitigation/capec_mitigation_00880","_rev":"_dVfOKdi--x","original_id":"583","name":"Disabling Network Hardware","metadata":"Ensure rigorous physical defensive measures to keep the adversary from accessing critical systems..","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00881","_id":"capec_mitigation/capec_mitigation_00881","_rev":"_dVfOKdi--y","original_id":"584","name":"BGP Route Disabling","metadata":"Implement Ingress filters to check the validity of received routes. However, this relies on the accuracy of Internet Routing Registries (IRRs) databases which are often not well-maintained.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00882","_id":"capec_mitigation/capec_mitigation_00882","_rev":"_dVfOKdi--z","original_id":"584","name":"BGP Route Disabling","metadata":"Implement Secure BGP (S-BGP protocol), which improves authorization and authentication capabilities based on public-key cryptography.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00883","_id":"capec_mitigation/capec_mitigation_00883","_rev":"_dVfOKdi--0","original_id":"586","name":"Object Injection","metadata":"\n Implementation: Validate object before deserialization process\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00884","_id":"capec_mitigation/capec_mitigation_00884","_rev":"_dVfOKdi--1","original_id":"586","name":"Object Injection","metadata":"\n Design: Limit which types can be deserialized.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00885","_id":"capec_mitigation/capec_mitigation_00885","_rev":"_dVfOKdi--2","original_id":"586","name":"Object Injection","metadata":"\n Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00886","_id":"capec_mitigation/capec_mitigation_00886","_rev":"_dVfOKdi--3","original_id":"586","name":"Object Injection","metadata":"\n Implementation: Keep session state on the server, when possible.\n ","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00887","_id":"capec_mitigation/capec_mitigation_00887","_rev":"_dVfOKdi--4","original_id":"587","name":"Cross Frame Scripting (XFS)","metadata":"Avoid clicking on untrusted links.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00888","_id":"capec_mitigation/capec_mitigation_00888","_rev":"_dVfOKdi--5","original_id":"587","name":"Cross Frame Scripting (XFS)","metadata":"Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00889","_id":"capec_mitigation/capec_mitigation_00889","_rev":"_dVfOKdi--6","original_id":"588","name":"DOM-Based XSS","metadata":"Use browser technologies that do not allow client-side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00890","_id":"capec_mitigation/capec_mitigation_00890","_rev":"_dVfOKdi--7","original_id":"588","name":"DOM-Based XSS","metadata":"Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00891","_id":"capec_mitigation/capec_mitigation_00891","_rev":"_dVfOKdi--8","original_id":"588","name":"DOM-Based XSS","metadata":"Ensure that all user-supplied input is validated before use.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00892","_id":"capec_mitigation/capec_mitigation_00892","_rev":"_dVfOKdi--9","original_id":"589","name":"DNS Blocking","metadata":"Hard Coded Alternate DNS server in applications","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00893","_id":"capec_mitigation/capec_mitigation_00893","_rev":"_dVfOKdi-_-","original_id":"589","name":"DNS Blocking","metadata":"Avoid dependence on DNS","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00894","_id":"capec_mitigation/capec_mitigation_00894","_rev":"_dVfOKdi-__","original_id":"589","name":"DNS Blocking","metadata":"Include \"hosts file\"/IP address in the application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00895","_id":"capec_mitigation/capec_mitigation_00895","_rev":"_dVfOKdi-_A","original_id":"589","name":"DNS Blocking","metadata":"Ensure best practices with respect to communications channel protections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00896","_id":"capec_mitigation/capec_mitigation_00896","_rev":"_dVfOKdi-_B","original_id":"589","name":"DNS Blocking","metadata":"Use a .onion domain with Tor support","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00897","_id":"capec_mitigation/capec_mitigation_00897","_rev":"_dVfOKdi-_C","original_id":"590","name":"IP Address Blocking","metadata":"Have a large pool of backup IPs built into the application and support proxy capability in the application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00898","_id":"capec_mitigation/capec_mitigation_00898","_rev":"_dVfOKdi-_D","original_id":"591","name":"Reflected XSS","metadata":"Use browser technologies that do not allow client-side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00899","_id":"capec_mitigation/capec_mitigation_00899","_rev":"_dVfOKdi-_E","original_id":"591","name":"Reflected XSS","metadata":"Utilize strict type, character, and encoding enforcement.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00900","_id":"capec_mitigation/capec_mitigation_00900","_rev":"_dVfOKdi-_F","original_id":"591","name":"Reflected XSS","metadata":"Ensure that all user-supplied input is validated before use.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00901","_id":"capec_mitigation/capec_mitigation_00901","_rev":"_dVfOKdi-_G","original_id":"592","name":"Stored XSS","metadata":"Use browser technologies that do not allow client-side scripting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00902","_id":"capec_mitigation/capec_mitigation_00902","_rev":"_dVfOKdi-_H","original_id":"592","name":"Stored XSS","metadata":"Utilize strict type, character, and encoding enforcement.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00903","_id":"capec_mitigation/capec_mitigation_00903","_rev":"_dVfOKdi-_I","original_id":"592","name":"Stored XSS","metadata":"Ensure that all user-supplied input is validated before being stored.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00904","_id":"capec_mitigation/capec_mitigation_00904","_rev":"_dVfOKdi-_J","original_id":"593","name":"Session Hijacking","metadata":"Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00905","_id":"capec_mitigation/capec_mitigation_00905","_rev":"_dVfOKdi-_K","original_id":"597","name":"Absolute Path Traversal","metadata":"Design: Configure the access control correctly.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00906","_id":"capec_mitigation/capec_mitigation_00906","_rev":"_dVfOKdm---","original_id":"597","name":"Absolute Path Traversal","metadata":"Design: Enforce principle of least privilege.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00907","_id":"capec_mitigation/capec_mitigation_00907","_rev":"_dVfOKdm--_","original_id":"597","name":"Absolute Path Traversal","metadata":"Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00908","_id":"capec_mitigation/capec_mitigation_00908","_rev":"_dVfOKdm--A","original_id":"597","name":"Absolute Path Traversal","metadata":"Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00909","_id":"capec_mitigation/capec_mitigation_00909","_rev":"_dVfOKdm--B","original_id":"597","name":"Absolute Path Traversal","metadata":"Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00910","_id":"capec_mitigation/capec_mitigation_00910","_rev":"_dVfOKdm--C","original_id":"597","name":"Absolute Path Traversal","metadata":"Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00911","_id":"capec_mitigation/capec_mitigation_00911","_rev":"_dVfOKdm--D","original_id":"597","name":"Absolute Path Traversal","metadata":"Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00912","_id":"capec_mitigation/capec_mitigation_00912","_rev":"_dVfOKdm--E","original_id":"597","name":"Absolute Path Traversal","metadata":"Implementation: Perform input validation for all remote content, including remote and user-generated content.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00913","_id":"capec_mitigation/capec_mitigation_00913","_rev":"_dVfOKdm--F","original_id":"597","name":"Absolute Path Traversal","metadata":"Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00914","_id":"capec_mitigation/capec_mitigation_00914","_rev":"_dVfOKdm--G","original_id":"597","name":"Absolute Path Traversal","metadata":"Implementation: Use indirect references rather than actual file names.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00915","_id":"capec_mitigation/capec_mitigation_00915","_rev":"_dVfOKdm--H","original_id":"597","name":"Absolute Path Traversal","metadata":"Implementation: Use possible permissions on file access when developing and deploying web applications.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00916","_id":"capec_mitigation/capec_mitigation_00916","_rev":"_dVfOKdm--I","original_id":"597","name":"Absolute Path Traversal","metadata":"Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification using an allowlist approach.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00917","_id":"capec_mitigation/capec_mitigation_00917","_rev":"_dVfOKdm--J","original_id":"598","name":"DNS Spoofing","metadata":"Design: Avoid dependence on DNS","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00918","_id":"capec_mitigation/capec_mitigation_00918","_rev":"_dVfOKdm--K","original_id":"598","name":"DNS Spoofing","metadata":"Design: Include \"hosts file\"/IP address in the application","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00919","_id":"capec_mitigation/capec_mitigation_00919","_rev":"_dVfOKdm--L","original_id":"598","name":"DNS Spoofing","metadata":"Implementation: Utilize a .onion domain with Tor support","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00920","_id":"capec_mitigation/capec_mitigation_00920","_rev":"_dVfOKdm--M","original_id":"598","name":"DNS Spoofing","metadata":"Implementation: DNSSEC","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00921","_id":"capec_mitigation/capec_mitigation_00921","_rev":"_dVfOKdm--N","original_id":"598","name":"DNS Spoofing","metadata":"Implementation: DNS-hold-open","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00922","_id":"capec_mitigation/capec_mitigation_00922","_rev":"_dVfOKdm--O","original_id":"600","name":"Credential Stuffing","metadata":"Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00923","_id":"capec_mitigation/capec_mitigation_00923","_rev":"_dVfOKdm--P","original_id":"600","name":"Credential Stuffing","metadata":"Create a strong password policy and ensure that your system enforces this policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00924","_id":"capec_mitigation/capec_mitigation_00924","_rev":"_dVfOKdm--Q","original_id":"600","name":"Credential Stuffing","metadata":"Ensure users are not reusing username/password combinations for multiple systems, applications, or services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00925","_id":"capec_mitigation/capec_mitigation_00925","_rev":"_dVfOKdm--R","original_id":"600","name":"Credential Stuffing","metadata":"Do not reuse local administrator account credentials across systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00926","_id":"capec_mitigation/capec_mitigation_00926","_rev":"_dVfOKdm--S","original_id":"600","name":"Credential Stuffing","metadata":"Deny remote use of local admin credentials to log into domain systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00927","_id":"capec_mitigation/capec_mitigation_00927","_rev":"_dVfOKdm--T","original_id":"600","name":"Credential Stuffing","metadata":"Do not allow accounts to be a local administrator on more than one system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00928","_id":"capec_mitigation/capec_mitigation_00928","_rev":"_dVfOKdm--U","original_id":"600","name":"Credential Stuffing","metadata":"Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00929","_id":"capec_mitigation/capec_mitigation_00929","_rev":"_dVfOKdm--V","original_id":"600","name":"Credential Stuffing","metadata":"Monitor system and domain logs for abnormal credential access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00933","_id":"capec_mitigation/capec_mitigation_00933","_rev":"_dVfOKdm--W","original_id":"604","name":"Wi-Fi Jamming","metadata":"Countermeasures have been proposed for both disassociation flooding and RF jamming, however these countermeasures are not standardized and would need to be supported on both the retransmission device and the handset in order to be effective. Commercial products are not currently available that support jamming countermeasures for Wi-Fi.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00934","_id":"capec_mitigation/capec_mitigation_00934","_rev":"_dVfOKdm--X","original_id":"605","name":"Cellular Jamming","metadata":"Mitigating this attack requires countermeasures employed on both the retransmission device as well as on the cell tower. Therefore, any system that relies on existing commercial cell towards will likely be vulnerable to this attack. By using a private cellular LTE network (i.e., a custom cell tower), jamming countermeasures could be developed and employed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00935","_id":"capec_mitigation/capec_mitigation_00935","_rev":"_dVfOKdm--Y","original_id":"606","name":"Weakening of Cellular Encryption","metadata":"Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00936","_id":"capec_mitigation/capec_mitigation_00936","_rev":"_dVfOKdm--Z","original_id":"606","name":"Weakening of Cellular Encryption","metadata":"Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00937","_id":"capec_mitigation/capec_mitigation_00937","_rev":"_dVfOKdm--a","original_id":"608","name":"Cryptanalysis of Cellular Encryption","metadata":"Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00938","_id":"capec_mitigation/capec_mitigation_00938","_rev":"_dVfOKdm--b","original_id":"608","name":"Cryptanalysis of Cellular Encryption","metadata":"Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00939","_id":"capec_mitigation/capec_mitigation_00939","_rev":"_dVfOKdm--c","original_id":"609","name":"Cellular Traffic Intercept","metadata":"Encryption of all data packets emanating from the smartphone to a retransmission device via two encrypted tunnels with Suite B cryptography, all the way to the VPN gateway at the datacenter.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00940","_id":"capec_mitigation/capec_mitigation_00940","_rev":"_dVfOKdm--d","original_id":"610","name":"Cellular Data Injection","metadata":"Commercial defensive technology to detect and alert to any attempts to modify mobile technology data flows or to inject new data into existing data flows and signaling data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00941","_id":"capec_mitigation/capec_mitigation_00941","_rev":"_dVfOKdm--e","original_id":"611","name":"BitSquatting","metadata":"Authenticate all servers and perform redundant checks when using DNS hostnames.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00942","_id":"capec_mitigation/capec_mitigation_00942","_rev":"_dVfOKdm--f","original_id":"611","name":"BitSquatting","metadata":"When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00943","_id":"capec_mitigation/capec_mitigation_00943","_rev":"_dVfOKdm--g","original_id":"612","name":"WiFi MAC Address Tracking","metadata":"Automatic randomization of WiFi MAC addresses","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00944","_id":"capec_mitigation/capec_mitigation_00944","_rev":"_dVfOKdm--h","original_id":"612","name":"WiFi MAC Address Tracking","metadata":"Frequent changing of handset and retransmission device","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00945","_id":"capec_mitigation/capec_mitigation_00945","_rev":"_dVfOKdm--i","original_id":"613","name":"WiFi SSID Tracking","metadata":"Do not enable the feature of \"Hidden SSIDs\" (also known as \"Network Cloaking\") – this option disables the usual broadcasting of the SSID by the access point, but forces the mobile handset to send requests on all supported radio channels which contains the SSID. The result is that tracking of the mobile device becomes easier since it is transmitting the SSID more frequently.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00946","_id":"capec_mitigation/capec_mitigation_00946","_rev":"_dVfOKdm--j","original_id":"613","name":"WiFi SSID Tracking","metadata":"Frequently change the SSID to new and unrelated values","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00947","_id":"capec_mitigation/capec_mitigation_00947","_rev":"_dVfOKdm--k","original_id":"614","name":"Rooting SIM Cards","metadata":"Upgrade the SIM card to use the state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00948","_id":"capec_mitigation/capec_mitigation_00948","_rev":"_dVfOKdm--l","original_id":"615","name":"Evil Twin Wi-Fi Attack","metadata":"Commercial defensive technology that monitors for rogue Wi-Fi access points, adversary-in-the-middle attacks, and anomalous activity with the mobile device baseband radios.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00949","_id":"capec_mitigation/capec_mitigation_00949","_rev":"_dVfOKdm--m","original_id":"617","name":"Cellular Rogue Base Station","metadata":"Passively monitor cellular network connection for real-time threat detection and logging for manual review.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00950","_id":"capec_mitigation/capec_mitigation_00950","_rev":"_dVfOKdm--n","original_id":"618","name":"Cellular Broadcast Message Request","metadata":"Frequent changing of mobile number.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00951","_id":"capec_mitigation/capec_mitigation_00951","_rev":"_dVfOKdm--o","original_id":"621","name":"Analysis of Packet Timing and Sizes","metadata":"Distort packet sizes and timing at VPN layer by adding padding to normalize packet sizes and timing delays to reduce information leakage via timing.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00952","_id":"capec_mitigation/capec_mitigation_00952","_rev":"_dVfOKdm--p","original_id":"622","name":"Electromagnetic Side-Channel Attack","metadata":"Utilize side-channel resistant implementations of all crypto algorithms.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00953","_id":"capec_mitigation/capec_mitigation_00953","_rev":"_dVfOKdm--q","original_id":"622","name":"Electromagnetic Side-Channel Attack","metadata":"Strong physical security of all devices that contain secret key information. (even when devices are not in use)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00954","_id":"capec_mitigation/capec_mitigation_00954","_rev":"_dVfOKdm--r","original_id":"623","name":"Compromising Emanations Attack","metadata":"None are known.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00955","_id":"capec_mitigation/capec_mitigation_00955","_rev":"_dVfOKdm--s","original_id":"624","name":"Hardware Fault Injection","metadata":"Implement robust physical security countermeasures and monitoring.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00956","_id":"capec_mitigation/capec_mitigation_00956","_rev":"_dVfOKdm--t","original_id":"625","name":"Mobile Device Fault Injection","metadata":"Strong physical security of all devices that contain secret key information. (even when devices are not in use)","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00957","_id":"capec_mitigation/capec_mitigation_00957","_rev":"_dVfOKdm--u","original_id":"625","name":"Mobile Device Fault Injection","metadata":"Frequent changes to secret keys and certificates.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00958","_id":"capec_mitigation/capec_mitigation_00958","_rev":"_dVfOKdm--v","original_id":"626","name":"Smudge Attack","metadata":"Strong physical security of the device.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00959","_id":"capec_mitigation/capec_mitigation_00959","_rev":"_dVfOKdm--w","original_id":"630","name":"TypoSquatting","metadata":"Authenticate all servers and perform redundant checks when using DNS hostnames.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00960","_id":"capec_mitigation/capec_mitigation_00960","_rev":"_dVfOKdm--x","original_id":"630","name":"TypoSquatting","metadata":"Purchase potential TypoSquatted domains and forward to legitimate domain.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00961","_id":"capec_mitigation/capec_mitigation_00961","_rev":"_dVfOKdm--y","original_id":"631","name":"SoundSquatting","metadata":"Authenticate all servers and perform redundant checks when using DNS hostnames.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00962","_id":"capec_mitigation/capec_mitigation_00962","_rev":"_dVfOKdm--z","original_id":"631","name":"SoundSquatting","metadata":"Purchase potential SoundSquatted domains and forward to legitimate domain.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00963","_id":"capec_mitigation/capec_mitigation_00963","_rev":"_dVfOKdm--0","original_id":"632","name":"Homograph Attack via Homoglyphs","metadata":"Authenticate all servers and perform redundant checks when using DNS hostnames.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00964","_id":"capec_mitigation/capec_mitigation_00964","_rev":"_dVfOKdm--1","original_id":"632","name":"Homograph Attack via Homoglyphs","metadata":"Utilize browsers that can warn users if URLs contain characters from different character sets.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00965","_id":"capec_mitigation/capec_mitigation_00965","_rev":"_dVfOKdm--2","original_id":"634","name":"Probe Audio and Video Peripherals","metadata":"Prevent unknown code from executing on a system through the use of an allowlist policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00966","_id":"capec_mitigation/capec_mitigation_00966","_rev":"_dVfOKdm--3","original_id":"634","name":"Probe Audio and Video Peripherals","metadata":"Patch installed applications as soon as new updates become available.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00967","_id":"capec_mitigation/capec_mitigation_00967","_rev":"_dVfOKdm--4","original_id":"635","name":"Alternative Execution Due to Deceptive Filenames","metadata":"Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00968","_id":"capec_mitigation/capec_mitigation_00968","_rev":"_dVfOKdm--5","original_id":"636","name":"Hiding Malicious Data or Code within Files","metadata":"Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00969","_id":"capec_mitigation/capec_mitigation_00969","_rev":"_dVfOKdm--6","original_id":"637","name":"Collect Data from Clipboard","metadata":"While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00970","_id":"capec_mitigation/capec_mitigation_00970","_rev":"_dVfOKdm--7","original_id":"637","name":"Collect Data from Clipboard","metadata":"Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00971","_id":"capec_mitigation/capec_mitigation_00971","_rev":"_dVfOKdm--8","original_id":"638","name":"Altered Component Firmware","metadata":"Leverage hardware components known to not be susceptible to these types of attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00972","_id":"capec_mitigation/capec_mitigation_00972","_rev":"_dVfOKdm--9","original_id":"638","name":"Altered Component Firmware","metadata":"Implement hardware RAID infrastructure.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00975","_id":"capec_mitigation/capec_mitigation_00975","_rev":"_dVfOKdm-_-","original_id":"639","name":"Probe System Files","metadata":"Verify that files have proper access controls set, and reduce the storage of sensitive information to only what is necessary.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00976","_id":"capec_mitigation/capec_mitigation_00976","_rev":"_dVfOKdm-__","original_id":"640","name":"Inclusion of Code in Existing Process","metadata":"Prevent unknown or malicious software from loading through using an allowlist policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00977","_id":"capec_mitigation/capec_mitigation_00977","_rev":"_dVfOKdm-_A","original_id":"640","name":"Inclusion of Code in Existing Process","metadata":"Properly restrict the location of the software being used.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00978","_id":"capec_mitigation/capec_mitigation_00978","_rev":"_dVfOKdm-_B","original_id":"640","name":"Inclusion of Code in Existing Process","metadata":"Leverage security kernel modules providing advanced access control and process restrictions like SELinux.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00979","_id":"capec_mitigation/capec_mitigation_00979","_rev":"_dVfOKdm-_C","original_id":"640","name":"Inclusion of Code in Existing Process","metadata":"Monitor API calls like CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and similar for Windows.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00980","_id":"capec_mitigation/capec_mitigation_00980","_rev":"_dVfOKdm-_D","original_id":"640","name":"Inclusion of Code in Existing Process","metadata":"Monitor API calls like ptrace system call, use of LD_PRELOAD environment variable, dlfcn dynamic linking API calls, and similar for Linux.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00981","_id":"capec_mitigation/capec_mitigation_00981","_rev":"_dVfOKdm-_E","original_id":"640","name":"Inclusion of Code in Existing Process","metadata":"Monitor API calls like SetWindowsHookEx and SetWinEventHook which install hook procedures for Windows.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00982","_id":"capec_mitigation/capec_mitigation_00982","_rev":"_dVfOKdm-_F","original_id":"640","name":"Inclusion of Code in Existing Process","metadata":"Monitor processes and command-line arguments for unknown behavior related to code injection.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00983","_id":"capec_mitigation/capec_mitigation_00983","_rev":"_dVfOKdm-_G","original_id":"641","name":"DLL Side-Loading","metadata":"Prevent unknown DLLs from loading through using an allowlist policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00984","_id":"capec_mitigation/capec_mitigation_00984","_rev":"_dVfOKdm-_H","original_id":"641","name":"DLL Side-Loading","metadata":"Patch installed applications as soon as new updates become available.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00985","_id":"capec_mitigation/capec_mitigation_00985","_rev":"_dVfOKdm-_I","original_id":"641","name":"DLL Side-Loading","metadata":"Properly restrict the location of the software being used.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00986","_id":"capec_mitigation/capec_mitigation_00986","_rev":"_dVfOKdm-_J","original_id":"641","name":"DLL Side-Loading","metadata":"Use of sxstrace.exe on Windows as well as manual inspection of the manifests.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00987","_id":"capec_mitigation/capec_mitigation_00987","_rev":"_dVfOKdm-_K","original_id":"641","name":"DLL Side-Loading","metadata":"Require code signing and avoid using relative paths for resources.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00988","_id":"capec_mitigation/capec_mitigation_00988","_rev":"_dVfOKdq---","original_id":"642","name":"Replace Binaries","metadata":"Insure that binaries commonly used by the system have the correct file permissions. Set operating system policies that restrict privilege elevation of non-Administrators. Use auditing tools to observe changes to system services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00989","_id":"capec_mitigation/capec_mitigation_00989","_rev":"_dVfOKdq--_","original_id":"643","name":"Identify Shared Files/Directories on System","metadata":"Identify unnecessary system utilities or potentially malicious software that may contain functionality to identify network share information, and audit and/or block them by using allowlist tools.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00990","_id":"capec_mitigation/capec_mitigation_00990","_rev":"_dVfOKdq--A","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00991","_id":"capec_mitigation/capec_mitigation_00991","_rev":"_dVfOKdq--B","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00992","_id":"capec_mitigation/capec_mitigation_00992","_rev":"_dVfOKdq--C","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Monitor system and domain logs for abnormal credential access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00993","_id":"capec_mitigation/capec_mitigation_00993","_rev":"_dVfOKdq--D","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Create a strong password policy and ensure that your system enforces this policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_00994","_id":"capec_mitigation/capec_mitigation_00994","_rev":"_dVfOKdq--E","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01000","_id":"capec_mitigation/capec_mitigation_01000","_rev":"_dVfOKdq--F","original_id":"645","name":"Use of Captured Tickets (Pass The Ticket)","metadata":"Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01001","_id":"capec_mitigation/capec_mitigation_01001","_rev":"_dVfOKdq--G","original_id":"645","name":"Use of Captured Tickets (Pass The Ticket)","metadata":"Monitor system and domain logs for abnormal access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01002","_id":"capec_mitigation/capec_mitigation_01002","_rev":"_dVfOKdq--H","original_id":"646","name":"Peripheral Footprinting","metadata":"Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01003","_id":"capec_mitigation/capec_mitigation_01003","_rev":"_dVfOKdq--I","original_id":"647","name":"Collect Data from Registries","metadata":"Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01004","_id":"capec_mitigation/capec_mitigation_01004","_rev":"_dVfOKdq--J","original_id":"647","name":"Collect Data from Registries","metadata":"Employ robust identification and audit/blocking via using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01005","_id":"capec_mitigation/capec_mitigation_01005","_rev":"_dVfOKdq--K","original_id":"648","name":"Collect Data from Screen Capture","metadata":"Identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using allowlist tools.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01006","_id":"capec_mitigation/capec_mitigation_01006","_rev":"_dVfOKdq--L","original_id":"648","name":"Collect Data from Screen Capture","metadata":"While screen capture is a legitimate and practical function, certain situations and context may require the disabling of this feature.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01007","_id":"capec_mitigation/capec_mitigation_01007","_rev":"_dVfOKdq--M","original_id":"649","name":"Adding a Space to a File Extension","metadata":"File extensions should be checked to see if non-visible characters are being included.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01008","_id":"capec_mitigation/capec_mitigation_01008","_rev":"_dVfOKdq--N","original_id":"650","name":"Upload a Web Shell to a Web Server","metadata":"Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01009","_id":"capec_mitigation/capec_mitigation_01009","_rev":"_dVfOKdq--O","original_id":"650","name":"Upload a Web Shell to a Web Server","metadata":"Ensure that the file permissions in directories on the web server from which files can be execute is set to the \"least privilege\" settings, and that those directories contents is controlled by an allowlist.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01010","_id":"capec_mitigation/capec_mitigation_01010","_rev":"_dVfOKdq--P","original_id":"651","name":"Eavesdropping","metadata":"Be mindful of your surroundings when discussing sensitive information in public areas.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01011","_id":"capec_mitigation/capec_mitigation_01011","_rev":"_dVfOKdq--Q","original_id":"651","name":"Eavesdropping","metadata":"Implement proper software restriction policies to only allow authorized software on your environment. Use of anti-virus and other security monitoring and detecting tools can aid in this too. Closely monitor installed software for unusual behavior or activity, and implement patches as soon as they become available.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01012","_id":"capec_mitigation/capec_mitigation_01012","_rev":"_dVfOKdq--R","original_id":"651","name":"Eavesdropping","metadata":"If possible, physically disable the microphone on your machine if it is not needed.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01013","_id":"capec_mitigation/capec_mitigation_01013","_rev":"_dVfOKdq--S","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01014","_id":"capec_mitigation/capec_mitigation_01014","_rev":"_dVfOKdq--T","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01015","_id":"capec_mitigation/capec_mitigation_01015","_rev":"_dVfOKdq--U","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Do not reuse Kerberos service account credentials across systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01016","_id":"capec_mitigation/capec_mitigation_01016","_rev":"_dVfOKdq--V","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Deny remote use of Kerberos service account credentials to log into domain systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01017","_id":"capec_mitigation/capec_mitigation_01017","_rev":"_dVfOKdq--W","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Do not allow Kerberos service accounts to be a local administrator on more than one system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01018","_id":"capec_mitigation/capec_mitigation_01018","_rev":"_dVfOKdq--X","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Enable at least AES Kerberos encryption for tickets.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01019","_id":"capec_mitigation/capec_mitigation_01019","_rev":"_dVfOKdq--Y","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Monitor system and domain logs for abnormal credential access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01025","_id":"capec_mitigation/capec_mitigation_01025","_rev":"_dVfOKdq--Z","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01026","_id":"capec_mitigation/capec_mitigation_01026","_rev":"_dVfOKdq--a","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Create a strong password policy and ensure that your system enforces this policy.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01027","_id":"capec_mitigation/capec_mitigation_01027","_rev":"_dVfOKdq--b","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Ensure users are not reusing username/password combinations for multiple systems, applications, or services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01028","_id":"capec_mitigation/capec_mitigation_01028","_rev":"_dVfOKdq--c","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Do not reuse local administrator account credentials across systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01029","_id":"capec_mitigation/capec_mitigation_01029","_rev":"_dVfOKdq--d","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Deny remote use of local admin credentials to log into domain systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01030","_id":"capec_mitigation/capec_mitigation_01030","_rev":"_dVfOKdq--e","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Do not allow accounts to be a local administrator on more than one system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01031","_id":"capec_mitigation/capec_mitigation_01031","_rev":"_dVfOKdq--f","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01032","_id":"capec_mitigation/capec_mitigation_01032","_rev":"_dVfOKdq--g","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Monitor system and domain logs for abnormal credential access.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01038","_id":"capec_mitigation/capec_mitigation_01038","_rev":"_dVfOKdq--h","original_id":"654","name":"Credential Prompt Impersonation","metadata":"The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01040","_id":"capec_mitigation/capec_mitigation_01040","_rev":"_dVfOKdq--i","original_id":"656","name":"Voice Phishing","metadata":"Do not accept calls from unknown numbers or from numbers that may be flagged as spam. Also, do not call numbers that appear on-screen after being unexpectedly redirected to potentially malicious websites. In either case, do not provide sensitive information over voice calls that are not legitimately initiated. Instead, call your Bank, PayPal, eBay, etc., via the number on their public-facing website and inquire about the problem.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01044","_id":"capec_mitigation/capec_mitigation_01044","_rev":"_dVfOKdq--j","original_id":"660","name":"Root/Jailbreak Detection Evasion via Hooking","metadata":"Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01045","_id":"capec_mitigation/capec_mitigation_01045","_rev":"_dVfOKdq--k","original_id":"660","name":"Root/Jailbreak Detection Evasion via Hooking","metadata":"Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01046","_id":"capec_mitigation/capec_mitigation_01046","_rev":"_dVfOKdq--l","original_id":"660","name":"Root/Jailbreak Detection Evasion via Hooking","metadata":"Inspect the application's stack trace for suspicious method calls.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01047","_id":"capec_mitigation/capec_mitigation_01047","_rev":"_dVfOKdq--m","original_id":"660","name":"Root/Jailbreak Detection Evasion via Hooking","metadata":"Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01048","_id":"capec_mitigation/capec_mitigation_01048","_rev":"_dVfOKdq--n","original_id":"660","name":"Root/Jailbreak Detection Evasion via Hooking","metadata":"For iOS applications, ensure application methods do not originate from outside of Apple's SDK.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01049","_id":"capec_mitigation/capec_mitigation_01049","_rev":"_dVfOKdq--o","original_id":"661","name":"Root/Jailbreak Detection Evasion via Debugging","metadata":"Instantiate checks within the application code that ensures debuggers are not attached.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01050","_id":"capec_mitigation/capec_mitigation_01050","_rev":"_dVfOKdq--p","original_id":"662","name":"Adversary in the Browser (AiTB)","metadata":"Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01051","_id":"capec_mitigation/capec_mitigation_01051","_rev":"_dVfOKdq--q","original_id":"662","name":"Adversary in the Browser (AiTB)","metadata":"Leverage anti-malware tools, which can detect Trojan Horse malware.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01052","_id":"capec_mitigation/capec_mitigation_01052","_rev":"_dVfOKdq--r","original_id":"662","name":"Adversary in the Browser (AiTB)","metadata":"Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01053","_id":"capec_mitigation/capec_mitigation_01053","_rev":"_dVfOKdq--s","original_id":"662","name":"Adversary in the Browser (AiTB)","metadata":"Limit user permissions to prevent browser pivoting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01054","_id":"capec_mitigation/capec_mitigation_01054","_rev":"_dVfOKdq--t","original_id":"662","name":"Adversary in the Browser (AiTB)","metadata":"Ensure browser sessions are regularly terminated and when their effective lifetime ends.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01055","_id":"capec_mitigation/capec_mitigation_01055","_rev":"_dVfOKdq--u","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01056","_id":"capec_mitigation/capec_mitigation_01056","_rev":"_dVfOKdq--v","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01057","_id":"capec_mitigation/capec_mitigation_01057","_rev":"_dVfOKdq--w","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01058","_id":"capec_mitigation/capec_mitigation_01058","_rev":"_dVfOKdq--x","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"Configuration: Disable SharedArrayBuffer for Web Browsers","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01059","_id":"capec_mitigation/capec_mitigation_01059","_rev":"_dVfOKdq--y","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"Configuration: Disable Copy-on-Write between Cloud VMs","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01060","_id":"capec_mitigation/capec_mitigation_01060","_rev":"_dVfOKdq--z","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"Configuration: Privilege Checks on Cache Flush Instructions","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01061","_id":"capec_mitigation/capec_mitigation_01061","_rev":"_dVfOKdq--0","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01063","_id":"capec_mitigation/capec_mitigation_01063","_rev":"_dVfOKdq--1","original_id":"664","name":"Server Side Request Forgery","metadata":"Handling incoming requests securely is the first line of action to mitigate this vulnerability. This can be done through URL validation.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01064","_id":"capec_mitigation/capec_mitigation_01064","_rev":"_dVfOKdq--2","original_id":"664","name":"Server Side Request Forgery","metadata":"Further down the process flow, examining the response and verifying that it is as expected before sending would be another way to secure the server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01065","_id":"capec_mitigation/capec_mitigation_01065","_rev":"_dVfOKdq--3","original_id":"664","name":"Server Side Request Forgery","metadata":"Allowlist the DNS name or IP address of every service the web application is required to access is another effective security measure. This ensures the server cannot make external requests to arbitrary services.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01066","_id":"capec_mitigation/capec_mitigation_01066","_rev":"_dVfOKdq--4","original_id":"664","name":"Server Side Request Forgery","metadata":"Requiring authentication for local services adds another layer of security between the adversary and internal services running on the server. By enforcing local authentication, an adversary will not gain access to all internal services only with access to the server.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01067","_id":"capec_mitigation/capec_mitigation_01067","_rev":"_dVfOKdq--5","original_id":"664","name":"Server Side Request Forgery","metadata":"Enforce the usage of relevant URL schemas. By limiting requests be made only through HTTP or HTTPS, for example, attacks made through insecure schemas such as file://, ftp://, etc. can be prevented.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01068","_id":"capec_mitigation/capec_mitigation_01068","_rev":"_dVfOKdq--6","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Implementation: Kernel Direct Memory Access Protection","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01069","_id":"capec_mitigation/capec_mitigation_01069","_rev":"_dVfOKdq--7","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01070","_id":"capec_mitigation/capec_mitigation_01070","_rev":"_dVfOKdq--8","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01071","_id":"capec_mitigation/capec_mitigation_01071","_rev":"_dVfOKdq--9","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01072","_id":"capec_mitigation/capec_mitigation_01072","_rev":"_dVfOKdq-_-","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Configuration: Set Security Level to SL3 for Thunderbolt 2 system port","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01073","_id":"capec_mitigation/capec_mitigation_01073","_rev":"_dVfOKdq-__","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Configuration: Disable PCIe tunneling to set Security Level to SL3","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01074","_id":"capec_mitigation/capec_mitigation_01074","_rev":"_dVfOKdq-_A","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Configuration: Disable Boot Camp upon MacOS systems","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01076","_id":"capec_mitigation/capec_mitigation_01076","_rev":"_dVfOKdq-_B","original_id":"666","name":"BlueSmacking","metadata":"Disable Bluetooth when not being used.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01077","_id":"capec_mitigation/capec_mitigation_01077","_rev":"_dVfOKdq-_C","original_id":"666","name":"BlueSmacking","metadata":"When using Bluetooth, set it to hidden or non-discoverable mode.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01079","_id":"capec_mitigation/capec_mitigation_01079","_rev":"_dVfOKdq-_D","original_id":"667","name":"Bluetooth Impersonation AttackS (BIAS)","metadata":"Disable Bluetooth in public places.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01080","_id":"capec_mitigation/capec_mitigation_01080","_rev":"_dVfOKdq-_E","original_id":"667","name":"Bluetooth Impersonation AttackS (BIAS)","metadata":"Verify incoming Bluetooth connections; do not automatically trust.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01081","_id":"capec_mitigation/capec_mitigation_01081","_rev":"_dVfOKdq-_F","original_id":"667","name":"Bluetooth Impersonation AttackS (BIAS)","metadata":"Change default PIN passwords and always use one when connecting.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01082","_id":"capec_mitigation/capec_mitigation_01082","_rev":"_dVfOKdq-_G","original_id":"668","name":"Key Negotiation of Bluetooth Attack (KNOB)","metadata":"Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01083","_id":"capec_mitigation/capec_mitigation_01083","_rev":"_dVfOKdq-_H","original_id":"669","name":"Alteration of a Software Update","metadata":"Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01084","_id":"capec_mitigation/capec_mitigation_01084","_rev":"_dVfOKdq-_I","original_id":"669","name":"Alteration of a Software Update","metadata":"Require elevated privileges for distribution of software and software updates.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01085","_id":"capec_mitigation/capec_mitigation_01085","_rev":"_dVfOKdq-_J","original_id":"670","name":"Software Development Tools Maliciously Altered","metadata":"Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01086","_id":"capec_mitigation/capec_mitigation_01086","_rev":"_dVfOKdq-_K","original_id":"670","name":"Software Development Tools Maliciously Altered","metadata":"Avoid giving elevated privileges to developers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01087","_id":"capec_mitigation/capec_mitigation_01087","_rev":"_dVfOKdq-_L","original_id":"671","name":"Requirements for ASIC Functionality Maliciously Altered","metadata":"Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01088","_id":"capec_mitigation/capec_mitigation_01088","_rev":"_dVfOKdq-_M","original_id":"671","name":"Requirements for ASIC Functionality Maliciously Altered","metadata":"Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01089","_id":"capec_mitigation/capec_mitigation_01089","_rev":"_dVfOKdq-_N","original_id":"671","name":"Requirements for ASIC Functionality Maliciously Altered","metadata":"Require that provenance of COTS microelectronic components be known whenever procured.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01090","_id":"capec_mitigation/capec_mitigation_01090","_rev":"_dVfOKdq-_O","original_id":"671","name":"Requirements for ASIC Functionality Maliciously Altered","metadata":"Conduct detailed vendor assessment before acquiring COTS hardware.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01091","_id":"capec_mitigation/capec_mitigation_01091","_rev":"_dVfOKdq-_P","original_id":"672","name":"Malicious Code Implanted During Chip Programming","metadata":"Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01092","_id":"capec_mitigation/capec_mitigation_01092","_rev":"_dVfOKdq-_Q","original_id":"672","name":"Malicious Code Implanted During Chip Programming","metadata":"Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01093","_id":"capec_mitigation/capec_mitigation_01093","_rev":"_dVfOKdq-_R","original_id":"672","name":"Malicious Code Implanted During Chip Programming","metadata":"Require that provenance of COTS microelectronic components be known whenever procured.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01094","_id":"capec_mitigation/capec_mitigation_01094","_rev":"_dVfOKdq-_S","original_id":"672","name":"Malicious Code Implanted During Chip Programming","metadata":"Conduct detailed vendor assessment before acquiring COTS hardware.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01095","_id":"capec_mitigation/capec_mitigation_01095","_rev":"_dVfOKdu---","original_id":"673","name":"Developer Signing Maliciously Altered Software","metadata":"Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01096","_id":"capec_mitigation/capec_mitigation_01096","_rev":"_dVfOKdu--_","original_id":"673","name":"Developer Signing Maliciously Altered Software","metadata":"Employ intrusion detection and malware detection capabilities on IDE systems where feasible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01097","_id":"capec_mitigation/capec_mitigation_01097","_rev":"_dVfOKdu--A","original_id":"674","name":"Design for FPGA Maliciously Altered","metadata":"Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01098","_id":"capec_mitigation/capec_mitigation_01098","_rev":"_dVfOKdu--B","original_id":"674","name":"Design for FPGA Maliciously Altered","metadata":"Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01099","_id":"capec_mitigation/capec_mitigation_01099","_rev":"_dVfOKdu--C","original_id":"674","name":"Design for FPGA Maliciously Altered","metadata":"Require that provenance of COTS microelectronic components be known whenever procured.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01100","_id":"capec_mitigation/capec_mitigation_01100","_rev":"_dVfOKdu--D","original_id":"674","name":"Design for FPGA Maliciously Altered","metadata":"Conduct detailed vendor assessment before acquiring COTS hardware.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01101","_id":"capec_mitigation/capec_mitigation_01101","_rev":"_dVfOKdu--E","original_id":"676","name":"NoSQL Injection","metadata":"Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as relevant NoSQL and JavaScript content. NoSQL-specific keywords, such as $ne, $eq or $gt for MongoDB, must be filtered in addition to characters such as a single-quote(') or semicolons (;) based on the context in which they appear. Validation should also extend to expected types.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01102","_id":"capec_mitigation/capec_mitigation_01102","_rev":"_dVfOKdu--F","original_id":"676","name":"NoSQL Injection","metadata":"If possible, leverage safe APIs (e.g., PyMongo and Flask-PyMongo for Python and MongoDB) for queries as opposed to building queries from strings.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01103","_id":"capec_mitigation/capec_mitigation_01103","_rev":"_dVfOKdu--G","original_id":"676","name":"NoSQL Injection","metadata":"Ensure the most recent version of a NoSQL database and it's corresponding API are used by the application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01104","_id":"capec_mitigation/capec_mitigation_01104","_rev":"_dVfOKdu--H","original_id":"676","name":"NoSQL Injection","metadata":"Use of custom error pages - Adversaries can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01105","_id":"capec_mitigation/capec_mitigation_01105","_rev":"_dVfOKdu--I","original_id":"676","name":"NoSQL Injection","metadata":"Exercise the principle of Least Privilege with regards to application accounts to minimize damage if a NoSQL injection attack is successful.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01106","_id":"capec_mitigation/capec_mitigation_01106","_rev":"_dVfOKdu--J","original_id":"676","name":"NoSQL Injection","metadata":"If using MongoDB, disable server-side JavaScript execution and leverage a sanitization module such as \"mongo-sanitize\".","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01107","_id":"capec_mitigation/capec_mitigation_01107","_rev":"_dVfOKdu--K","original_id":"676","name":"NoSQL Injection","metadata":"If using PHP with MongoDB, ensure all special query operators (starting with $) use single quotes to prevent operator replacement attacks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01108","_id":"capec_mitigation/capec_mitigation_01108","_rev":"_dVfOKdu--L","original_id":"676","name":"NoSQL Injection","metadata":"Additional mitigations will depend on the NoSQL database, API, and programming language leveraged by the application.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01111","_id":"capec_mitigation/capec_mitigation_01111","_rev":"_dVfOKdu--M","original_id":"677","name":"Server Functionality Compromise","metadata":"Purchase IT systems, components and parts from government approved vendors whenever possible.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01112","_id":"capec_mitigation/capec_mitigation_01112","_rev":"_dVfOKdu--N","original_id":"677","name":"Server Functionality Compromise","metadata":"Establish diversity among suppliers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01113","_id":"capec_mitigation/capec_mitigation_01113","_rev":"_dVfOKdu--O","original_id":"677","name":"Server Functionality Compromise","metadata":"Conduct rigorous threat assessments of suppliers.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01114","_id":"capec_mitigation/capec_mitigation_01114","_rev":"_dVfOKdu--P","original_id":"677","name":"Server Functionality Compromise","metadata":"Require that Bills of Material (BoM) for critical parts and components be certified.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01115","_id":"capec_mitigation/capec_mitigation_01115","_rev":"_dVfOKdu--Q","original_id":"677","name":"Server Functionality Compromise","metadata":"Utilize contract language requiring contractors and subcontractors to flow down to subcontractors and suppliers SCRM and SCRA (Supply Chain Risk Assessment) requirements.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01116","_id":"capec_mitigation/capec_mitigation_01116","_rev":"_dVfOKdu--R","original_id":"677","name":"Server Functionality Compromise","metadata":"Establish trusted supplier networks.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01117","_id":"capec_mitigation/capec_mitigation_01117","_rev":"_dVfOKdu--S","original_id":"678","name":"System Build Data Maliciously Altered","metadata":"Implement configuration management security practices that protect the integrity of software and associated data.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01118","_id":"capec_mitigation/capec_mitigation_01118","_rev":"_dVfOKdu--T","original_id":"678","name":"System Build Data Maliciously Altered","metadata":"Monitor and control access to the configuration management system.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01119","_id":"capec_mitigation/capec_mitigation_01119","_rev":"_dVfOKdu--U","original_id":"678","name":"System Build Data Maliciously Altered","metadata":"Harden centralized repositories against attack.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01120","_id":"capec_mitigation/capec_mitigation_01120","_rev":"_dVfOKdu--V","original_id":"678","name":"System Build Data Maliciously Altered","metadata":"Establish acceptance criteria for configuration management check-in to assure integrity.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01121","_id":"capec_mitigation/capec_mitigation_01121","_rev":"_dVfOKdu--W","original_id":"678","name":"System Build Data Maliciously Altered","metadata":"Plan for and audit the security of configuration management administration processes.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01122","_id":"capec_mitigation/capec_mitigation_01122","_rev":"_dVfOKdu--X","original_id":"678","name":"System Build Data Maliciously Altered","metadata":"Maintain configuration control over operational systems.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01123","_id":"capec_mitigation/capec_mitigation_01123","_rev":"_dVfOKdu--Y","original_id":"679","name":"Exploitation of Improperly Configured or Implemented Memory Protections","metadata":"Ensure that protected and unprotected memory ranges are isolated and do not overlap.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01124","_id":"capec_mitigation/capec_mitigation_01124","_rev":"_dVfOKdu--Z","original_id":"679","name":"Exploitation of Improperly Configured or Implemented Memory Protections","metadata":"If memory regions must overlap, leverage memory priority schemes if memory regions can overlap.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01125","_id":"capec_mitigation/capec_mitigation_01125","_rev":"_dVfOKdu--a","original_id":"679","name":"Exploitation of Improperly Configured or Implemented Memory Protections","metadata":"Ensure that original and mirrored memory regions apply the same protections.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01126","_id":"capec_mitigation/capec_mitigation_01126","_rev":"_dVfOKdu--b","original_id":"679","name":"Exploitation of Improperly Configured or Implemented Memory Protections","metadata":"Ensure immutable code or data is programmed into ROM or write-once memory.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01127","_id":"capec_mitigation/capec_mitigation_01127","_rev":"_dVfOKdu--c","original_id":"680","name":"Exploitation of Improperly Controlled Registers","metadata":"Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01128","_id":"capec_mitigation/capec_mitigation_01128","_rev":"_dVfOKdu--d","original_id":"680","name":"Exploitation of Improperly Controlled Registers","metadata":"Ensure security lock bit protections are reviewed for design inconsistencies and common weaknesses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01129","_id":"capec_mitigation/capec_mitigation_01129","_rev":"_dVfOKdu--e","original_id":"680","name":"Exploitation of Improperly Controlled Registers","metadata":"Test security lock programming flow in both pre-silicon and post-silicon environments.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01130","_id":"capec_mitigation/capec_mitigation_01130","_rev":"_dVfOKdu--f","original_id":"680","name":"Exploitation of Improperly Controlled Registers","metadata":"Leverage automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01131","_id":"capec_mitigation/capec_mitigation_01131","_rev":"_dVfOKdu--g","original_id":"680","name":"Exploitation of Improperly Controlled Registers","metadata":"Ensure that measurement data is stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01132","_id":"capec_mitigation/capec_mitigation_01132","_rev":"_dVfOKdu--h","original_id":"681","name":"Exploitation of Improperly Controlled Hardware Security Identifiers","metadata":"Review generation of security identifiers for design inconsistencies and common weaknesses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01133","_id":"capec_mitigation/capec_mitigation_01133","_rev":"_dVfOKdu--i","original_id":"681","name":"Exploitation of Improperly Controlled Hardware Security Identifiers","metadata":"Review security identifier decoders for design inconsistencies and common weaknesses.","datatype":"capec_mitigation"},{"_key":"capec_mitigation_01134","_id":"capec_mitigation/capec_mitigation_01134","_rev":"_dVfOKdu--j","original_id":"681","name":"Exploitation of Improperly Controlled Hardware Security Identifiers","metadata":"Test security identifier definition, access, and programming flow in both pre-silicon and post-silicon environments.","datatype":"capec_mitigation"}]