diff --git "a/data/alpaca/alpaca_data_cleaned_archive.json" "b/data/alpaca/alpaca_data_cleaned_archive.json" --- "a/data/alpaca/alpaca_data_cleaned_archive.json" +++ "b/data/alpaca/alpaca_data_cleaned_archive.json" @@ -1,37 +1 @@ -[ - { - "instruction": "Describe DDOS attack", - "input": "", - "output": "A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic. In a DDoS attack, multiple compromised computers or devices, often referred to as a botnet, are used to generate a massive amount of traffic that exceeds the target's capacity to handle it." - }, - { - "instruction": "What are DDOS technique?", - "input": "", - "output": "Traffic flooding: The attacker overwhelms the target with a massive volume of network traffic, consuming all available resources. \nApplication layer attacks: The attacker targets specific applications or services, attempting to exhaust their resources by exploiting vulnerabilities or by initiating resource-intensive operations. \nProtocol attacks: The attacker exploits weaknesses in network protocols, such as the TCP/IP stack, to consume server resources or disrupt communication.\nReflective/amplified attacks: The attacker uses a technique where they send requests to a large number of vulnerable systems that respond by sending a much larger response back to the target, amplifying the attack's impact." - }, - { - "instruction": "How to avoid DDOS attack", - "input": "", - "output": "DDoS mitigation services: Consider using a reputable DDoS mitigation service that specializes in detecting and mitigating attacks. These services can help filter out malicious traffic and ensure your network remains accessible during an attack. \nNetwork monitoring: Implement robust network monitoring systems to detect any unusual traffic patterns or sudden spikes in traffic. Early detection can allow you to respond quickly and mitigate the impact of an attack." - }, - { - "instruction": "what to do when getting ddos-ed", - "input": "", - "output": "Contact your DDoS mitigation service: If you have a DDoS mitigation service in place, immediately contact them to activate their services and inform them about the ongoing attack. They can help filter out malicious traffic and provide guidance on mitigation strategies.\nMonitor network traffic: Use network monitoring tools or services to analyze and monitor the incoming traffic. Identify the characteristics of the attack, such as the source IP addresses, traffic patterns, and attack vectors. This information can be useful for further analysis and potential legal action." - }, - { - "instruction": "What is DDOS attack", - "input": "", - "output": "is a malicious with a flood of internet traffic. In a DDoS attack, multiple compromised computers or devices, often referred to as a botnet, are used to generate a massive amount of traffic that exceeds the target's capacity to handle it." - }, - { - "instruction": "Which are DDOS technique?", - "input": "Traffic flooding, Scanning, Viewing", - "output": "Traffic flooding" - }, - { - "instruction": "Avoid DDOS attack", - "input": "", - "output": "DDoS mitigation services: Consider using a reputable DDoS mitigation service that specializes in detecting and mitigating attacks. These services can help filter out malicious traffic and ensure your network remains accessible during an attack. \nNetwork monitoring: Implement robust network monitoring systems to detect any unusual traffic patterns or sudden spikes in traffic. Early detection can allow you to respond quickly and mitigate the impact of an attack." - } -] +[{"instruction": "What is", "input": "Accessing Functionality Not Properly Constrained by ACLs", "output": "In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to."}, {"instruction": "What is", "input": "coa-1-0", "output": "\n In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.\n Having done so, any direct access to those protected Servlets will be prohibited by the web container.\n In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.\n "}, {"instruction": "What is", "input": "Buffer Overflow via Environment Variables", "output": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables."}, {"instruction": "What is", "input": "coa-10-0", "output": "Do not expose environment variable to the user."}, {"instruction": "What is", "input": "coa-10-1", "output": "Do not use untrusted data in your environment variables."}, {"instruction": "What is", "input": "coa-10-2", "output": "Use a language or compiler that performs automatic bounds checking"}, {"instruction": "What is", "input": "coa-10-3", "output": "There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow."}, {"instruction": "What is", "input": "Overflow Buffers", "output": "Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice."}, {"instruction": "What is", "input": "coa-100-0", "output": "Use a language or compiler that performs automatic bounds checking."}, {"instruction": "What is", "input": "coa-100-1", "output": "Use secure functions not vulnerable to buffer overflow."}, {"instruction": "What is", "input": "coa-100-2", "output": "If you have to use dangerous functions, make sure that you do boundary checking."}, {"instruction": "What is", "input": "coa-100-3", "output": "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution."}, {"instruction": "What is", "input": "coa-100-4", "output": "Use OS-level preventative functionality. Not a complete solution."}, {"instruction": "What is", "input": "coa-100-5", "output": "Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software."}, {"instruction": "What is", "input": "Server Side Include (SSI) Injection", "output": "An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands."}, {"instruction": "What is", "input": "coa-101-0", "output": "Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them"}, {"instruction": "What is", "input": "coa-101-1", "output": "All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive"}, {"instruction": "What is", "input": "coa-101-2", "output": "Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead"}, {"instruction": "What is", "input": "Session Sidejacking", "output": "Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token."}, {"instruction": "What is", "input": "coa-102-0", "output": "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel."}, {"instruction": "What is", "input": "coa-102-1", "output": "Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks."}, {"instruction": "What is", "input": "Clickjacking", "output": "An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system."}, {"instruction": "What is", "input": "coa-103-0", "output": "If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames."}, {"instruction": "What is", "input": "coa-103-1", "output": "Turn off JavaScript, Flash and disable CSS."}, {"instruction": "What is", "input": "coa-103-2", "output": "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks."}, {"instruction": "What is", "input": "Cross Zone Scripting", "output": "An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security."}, {"instruction": "What is", "input": "coa-104-0", "output": "Disable script execution."}, {"instruction": "What is", "input": "coa-104-1", "output": "Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone"}, {"instruction": "What is", "input": "coa-104-2", "output": "Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone"}, {"instruction": "What is", "input": "coa-104-3", "output": "Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum"}, {"instruction": "What is", "input": "coa-104-4", "output": "Ensure proper HTML output encoding before writing user supplied data to the page"}, {"instruction": "What is", "input": "HTTP Request Splitting", "output": "\n An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).\n See CanPrecede relationships for possible consequences.\n "}, {"instruction": "What is", "input": "coa-105-0", "output": "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies."}, {"instruction": "What is", "input": "coa-105-1", "output": "Configuration: front-end HTTP agents notice ambiguous requests."}, {"instruction": "What is", "input": "coa-105-2", "output": "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection."}, {"instruction": "What is", "input": "coa-105-3", "output": "Configuration: Disable reuse of back-end connections."}, {"instruction": "What is", "input": "coa-105-4", "output": "Configuration: Use HTTP/2 for back-end connections."}, {"instruction": "What is", "input": "coa-105-5", "output": "Configuration: Use the same web server software for front-end and back-end server."}, {"instruction": "What is", "input": "coa-105-6", "output": "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses."}, {"instruction": "What is", "input": "coa-105-7", "output": "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)"}, {"instruction": "What is", "input": "coa-105-8", "output": "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process."}, {"instruction": "What is", "input": "coa-105-9", "output": "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input."}, {"instruction": "What is", "input": "DEPRECATED: XSS through Log Files", "output": "This attack pattern has been deprecated as it referes to an existing chain relationship between \"CAPEC-93 : Log Injection-Tampering-Forging\" and \"CAPEC-63 : Cross-Site Scripting\". Please refer to these CAPECs going forward."}, {"instruction": "What is", "input": "Cross Site Tracing", "output": "Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server."}, {"instruction": "What is", "input": "coa-107-0", "output": "Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default."}, {"instruction": "What is", "input": "coa-107-1", "output": "Patch web browser against known security origin policy bypass exploits."}, {"instruction": "What is", "input": "Command Line Execution through SQL Injection", "output": "An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host."}, {"instruction": "What is", "input": "coa-108-0", "output": "Disable MSSQL xp_cmdshell directive on the database"}, {"instruction": "What is", "input": "coa-108-1", "output": "Properly validate the data (syntactically and semantically) before writing it to the database."}, {"instruction": "What is", "input": "coa-108-2", "output": "Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument)."}, {"instruction": "What is", "input": "Object Relational Mapping Injection", "output": "An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible."}, {"instruction": "What is", "input": "coa-109-0", "output": "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework"}, {"instruction": "What is", "input": "coa-109-1", "output": "Ensure to keep up to date with security relevant updates to the persistence framework used within your application."}, {"instruction": "What is", "input": "Cause Web Server Misclassification", "output": "An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process."}, {"instruction": "What is", "input": "coa-11-0", "output": "Implementation: Server routines should be determined by content not determined by filename or file extension."}, {"instruction": "What is", "input": "SQL Injection through SOAP Parameter Tampering", "output": "An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message."}, {"instruction": "What is", "input": "coa-110-0", "output": "Properly validate and sanitize/reject user input at the service provider."}, {"instruction": "What is", "input": "coa-110-1", "output": "Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query."}, {"instruction": "What is", "input": "coa-110-2", "output": "At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly."}, {"instruction": "What is", "input": "JSON Hijacking (aka JavaScript Hijacking)", "output": "An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website."}, {"instruction": "What is", "input": "coa-111-0", "output": "Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce."}, {"instruction": "What is", "input": "coa-111-1", "output": "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags)."}, {"instruction": "What is", "input": "coa-111-2", "output": "Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session."}, {"instruction": "What is", "input": "coa-111-3", "output": "Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario."}, {"instruction": "What is", "input": "Brute Force", "output": "In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset."}, {"instruction": "What is", "input": "coa-112-0", "output": "Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space."}, {"instruction": "What is", "input": "coa-112-1", "output": "Use a secret space that is well known and with no known patterns that may reduce functional size."}, {"instruction": "What is", "input": "coa-112-2", "output": "Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext."}, {"instruction": "What is", "input": "Interface Manipulation", "output": "An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way."}, {"instruction": "What is", "input": "Authentication Abuse", "output": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker."}, {"instruction": "What is", "input": "Authentication Bypass", "output": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place."}, {"instruction": "What is", "input": "Excavation", "output": "An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes."}, {"instruction": "What is", "input": "coa-116-0", "output": "Minimize error/response output to only what is necessary for functional use or corrective language."}, {"instruction": "What is", "input": "coa-116-1", "output": "Remove potentially sensitive information that is not necessary for the application's functionality."}, {"instruction": "What is", "input": "Interception", "output": "An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient."}, {"instruction": "What is", "input": "coa-117-0", "output": "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties."}, {"instruction": "What is", "input": "Choosing Message Identifier", "output": "This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one."}, {"instruction": "What is", "input": "coa-12-0", "output": "\n Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.\n The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.\n "}, {"instruction": "What is", "input": "coa-12-1", "output": "Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them."}, {"instruction": "What is", "input": "Double Encoding", "output": "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target."}, {"instruction": "What is", "input": "coa-120-0", "output": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input."}, {"instruction": "What is", "input": "coa-120-1", "output": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding."}, {"instruction": "What is", "input": "coa-120-2", "output": "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible."}, {"instruction": "What is", "input": "coa-120-3", "output": "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process."}, {"instruction": "What is", "input": "coa-120-4", "output": "Refer to the RFCs to safely decode URL."}, {"instruction": "What is", "input": "coa-120-5", "output": "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive."}, {"instruction": "What is", "input": "coa-120-6", "output": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)."}, {"instruction": "What is", "input": "Exploit Non-Production Interfaces", "output": "\n An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.\n "}, {"instruction": "What is", "input": "coa-121-0", "output": "Ensure that production systems do not contain non-production interfaces and that these interfaces are only used in development environments."}, {"instruction": "What is", "input": "Privilege Abuse", "output": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources."}, {"instruction": "What is", "input": "coa-122-0", "output": "Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts."}, {"instruction": "What is", "input": "Buffer Manipulation", "output": "An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory."}, {"instruction": "What is", "input": "coa-123-0", "output": "To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied."}, {"instruction": "What is", "input": "Shared Resource Manipulation", "output": "An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications."}, {"instruction": "What is", "input": "Flooding", "output": "An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target."}, {"instruction": "What is", "input": "coa-125-0", "output": "Ensure that protocols have specific limits of scale configured."}, {"instruction": "What is", "input": "coa-125-1", "output": "Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits."}, {"instruction": "What is", "input": "coa-125-2", "output": "Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed."}, {"instruction": "What is", "input": "Path Traversal", "output": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files."}, {"instruction": "What is", "input": "coa-126-0", "output": "Design: Configure the access control correctly."}, {"instruction": "What is", "input": "coa-126-1", "output": "Design: Enforce principle of least privilege."}, {"instruction": "What is", "input": "coa-126-2", "output": "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution."}, {"instruction": "What is", "input": "coa-126-3", "output": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement."}, {"instruction": "What is", "input": "coa-126-4", "output": "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host."}, {"instruction": "What is", "input": "coa-126-5", "output": "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands."}, {"instruction": "What is", "input": "coa-126-6", "output": "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin."}, {"instruction": "What is", "input": "coa-126-7", "output": "Implementation: Perform input validation for all remote content, including remote and user-generated content."}, {"instruction": "What is", "input": "coa-126-8", "output": "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables."}, {"instruction": "What is", "input": "coa-126-9", "output": "Implementation: Use indirect references rather than actual file names."}, {"instruction": "What is", "input": "coa-126-10", "output": "Implementation: Use possible permissions on file access when developing and deploying web applications."}, {"instruction": "What is", "input": "coa-126-11", "output": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach."}, {"instruction": "What is", "input": "Directory Indexing", "output": "An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks."}, {"instruction": "What is", "input": "coa-127-0", "output": "1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors."}, {"instruction": "What is", "input": "coa-127-1", "output": "2. Preventing with .htaccess in Apache web server: In .htaccess, write \"Options-indexes\"."}, {"instruction": "What is", "input": "coa-127-2", "output": "3. Suppressing error messages: using error 403 \"Forbidden\" message exactly like error 404 \"Not Found\" message."}, {"instruction": "What is", "input": "Integer Attacks", "output": "An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats."}, {"instruction": "What is", "input": "Pointer Manipulation", "output": "This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks."}, {"instruction": "What is", "input": "Subverting Environment Variable Values", "output": "The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary."}, {"instruction": "What is", "input": "coa-13-0", "output": "Protect environment variables against unauthorized read and write access."}, {"instruction": "What is", "input": "coa-13-1", "output": "Protect the configuration files which contain environment variables against illegitimate read and write access."}, {"instruction": "What is", "input": "coa-13-2", "output": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system."}, {"instruction": "What is", "input": "coa-13-3", "output": "Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege."}, {"instruction": "What is", "input": "Excessive Allocation", "output": "An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request."}, {"instruction": "What is", "input": "coa-130-0", "output": "Limit the amount of resources that are accessible to unprivileged users."}, {"instruction": "What is", "input": "coa-130-1", "output": "Assume all input is malicious. Consider all potentially relevant properties when validating input."}, {"instruction": "What is", "input": "coa-130-2", "output": "Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed."}, {"instruction": "What is", "input": "coa-130-3", "output": "Use resource-limiting settings, if possible."}, {"instruction": "What is", "input": "Resource Leak Exposure", "output": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests."}, {"instruction": "What is", "input": "coa-131-0", "output": "If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated)."}, {"instruction": "What is", "input": "coa-131-1", "output": "Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)"}, {"instruction": "What is", "input": "coa-131-2", "output": "Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function."}, {"instruction": "What is", "input": "Symlink Attack", "output": "An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name."}, {"instruction": "What is", "input": "coa-132-0", "output": "Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them."}, {"instruction": "What is", "input": "coa-132-1", "output": "Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions."}, {"instruction": "What is", "input": "Try All Common Switches", "output": "An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality."}, {"instruction": "What is", "input": "coa-133-0", "output": "Design: Minimize switch and option functionality to only that necessary for correct function of the command."}, {"instruction": "What is", "input": "coa-133-1", "output": "Implementation: Remove all debug and testing options from production code."}, {"instruction": "What is", "input": "Email Injection", "output": "An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol."}, {"instruction": "What is", "input": "Format String Injection", "output": "An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack."}, {"instruction": "What is", "input": "coa-135-0", "output": "Limit the usage of formatting string functions."}, {"instruction": "What is", "input": "coa-135-1", "output": "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters."}, {"instruction": "What is", "input": "LDAP Injection", "output": "An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value."}, {"instruction": "What is", "input": "coa-136-0", "output": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content."}, {"instruction": "What is", "input": "coa-136-1", "output": "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application."}, {"instruction": "What is", "input": "Parameter Injection", "output": "An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value \"myInput&new_param=myValue\", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example."}, {"instruction": "What is", "input": "coa-137-0", "output": "Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise."}, {"instruction": "What is", "input": "coa-137-1", "output": "Treat all user input as untrusted data that must be validated before use."}, {"instruction": "What is", "input": "Reflection Injection", "output": "An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application."}, {"instruction": "What is", "input": "Relative Path Traversal", "output": "An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \\) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure."}, {"instruction": "What is", "input": "coa-139-0", "output": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement"}, {"instruction": "What is", "input": "coa-139-3", "output": "Implementation: Prefer working without user input when using file system calls"}, {"instruction": "What is", "input": "Client-side Injection-induced Buffer Overflow", "output": "This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads."}, {"instruction": "What is", "input": "coa-14-0", "output": "The client software should not install untrusted code from a non-authenticated server."}, {"instruction": "What is", "input": "coa-14-1", "output": "The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers."}, {"instruction": "What is", "input": "coa-14-2", "output": "Perform input validation for length of buffer inputs."}, {"instruction": "What is", "input": "coa-14-4", "output": "Use an abstraction library to abstract away risky APIs. Not a complete solution."}, {"instruction": "What is", "input": "coa-14-6", "output": "Ensure all buffer uses are consistently bounds-checked."}, {"instruction": "What is", "input": "Bypassing of Intermediate Forms in Multiple-Form Sets", "output": "Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application."}, {"instruction": "What is", "input": "Cache Poisoning", "output": "An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value."}, {"instruction": "What is", "input": "coa-141-0", "output": "Configuration: Disable client side caching."}, {"instruction": "What is", "input": "coa-141-1", "output": "Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes."}, {"instruction": "What is", "input": "DNS Cache Poisoning", "output": "A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack."}, {"instruction": "What is", "input": "coa-142-0", "output": "Configuration: Make sure your DNS servers have been updated to the latest versions"}, {"instruction": "What is", "input": "coa-142-1", "output": "Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet."}, {"instruction": "What is", "input": "coa-142-2", "output": "Configuration: Disable client side DNS caching."}, {"instruction": "What is", "input": "Detect Unpublicized Web Pages", "output": "An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public."}, {"instruction": "What is", "input": "Detect Unpublicized Web Services", "output": "An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable."}, {"instruction": "What is", "input": "Checksum Spoofing", "output": "An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred."}, {"instruction": "What is", "input": "XML Schema Poisoning", "output": "An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema."}, {"instruction": "What is", "input": "coa-146-0", "output": "Design: Protect the schema against unauthorized modification."}, {"instruction": "What is", "input": "coa-146-1", "output": "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification."}, {"instruction": "What is", "input": "coa-146-2", "output": "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification."}, {"instruction": "What is", "input": "XML Ping of the Death", "output": "An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target."}, {"instruction": "What is", "input": "coa-147-0", "output": "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval."}, {"instruction": "What is", "input": "coa-147-1", "output": "Implementation: Provide for network flow control and traffic shaping to control access to the resources."}, {"instruction": "What is", "input": "Content Spoofing", "output": "An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes."}, {"instruction": "What is", "input": "Explore for Predictable Temporary File Names", "output": "An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks."}, {"instruction": "What is", "input": "Command Delimiters", "output": "An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on."}, {"instruction": "What is", "input": "coa-15-0", "output": "Design: Perform allowlist validation against a positive specification for command length, type, and parameters."}, {"instruction": "What is", "input": "coa-15-1", "output": "Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account"}, {"instruction": "What is", "input": "coa-15-2", "output": "Implementation: Perform input validation for all remote content."}, {"instruction": "What is", "input": "coa-15-3", "output": "Implementation: Use type conversions such as JDBC prepared statements."}, {"instruction": "What is", "input": "Collect Data from Common Resource Locations", "output": "An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks."}, {"instruction": "What is", "input": "Identity Spoofing", "output": "Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials."}, {"instruction": "What is", "input": "coa-151-0", "output": "Employ robust authentication processes (e.g., multi-factor authentication)."}, {"instruction": "What is", "input": "Input Data Manipulation", "output": "An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target."}, {"instruction": "What is", "input": "Resource Location Spoofing", "output": "An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals."}, {"instruction": "What is", "input": "coa-154-0", "output": "Monitor network activity to detect any anomalous or unauthorized communication exchanges."}, {"instruction": "What is", "input": "Screen Temporary Files for Sensitive Information", "output": "An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache."}, {"instruction": "What is", "input": "Sniffing Attacks", "output": "In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves."}, {"instruction": "What is", "input": "coa-157-0", "output": "Encrypt sensitive information when transmitted on insecure mediums to prevent interception."}, {"instruction": "What is", "input": "Sniffing Network Traffic", "output": "In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information."}, {"instruction": "What is", "input": "coa-158-0", "output": "Obfuscate network traffic through encryption to prevent its readability by network sniffers."}, {"instruction": "What is", "input": "coa-158-1", "output": "Employ appropriate levels of segmentation to your network in accordance with best practices."}, {"instruction": "What is", "input": "Redirect Access to Libraries", "output": "An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation."}, {"instruction": "What is", "input": "coa-159-0", "output": "Implementation: Restrict the permission to modify the entries in the configuration file."}, {"instruction": "What is", "input": "coa-159-1", "output": "Implementation: Check the integrity of the dynamically linked libraries before use them."}, {"instruction": "What is", "input": "coa-159-2", "output": "Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries."}, {"instruction": "What is", "input": "Dictionary-based Password Attack", "output": "\n An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.\n Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.\n "}, {"instruction": "What is", "input": "coa-16-0", "output": "Create a strong password policy and ensure that your system enforces this policy."}, {"instruction": "What is", "input": "coa-16-1", "output": "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2."}, {"instruction": "What is", "input": "coa-16-2", "output": "Leverage multi-factor authentication for all authentication services."}, {"instruction": "What is", "input": "Exploit Script-Based APIs", "output": "Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support