Skip to content
Application Security Tactics & Techniques Matrix
Contributors
Initializing search
Tactics
Attacks
About
Contributors
Application Security Tactics & Techniques Matrix
Tactics
Tactics
Reconnaissance
Reconnaissance
Application API Specification Harvesting
Application API Specification Harvesting
Application API Specification Harvesting
API Documentation Analysis
Fuzzing API Endpoints
Schema Extraction
Traffic Sniffing
Application Dependencies Mapping
Application Dependencies Mapping
Application Dependencies Mapping
Image Metadata Inspection
Manifest Inspection
OpenSource Dependency Enumeration.md
Package Manifest Scraping
Registry Metadata Query
SBOM Analysis
Gather Application Configuration Information
Gather Application Configuration Information
Gather Application Configuration Information
Feature Flag Discovery
Fingerprinting
Public Source Code and Artifacts Analysis
Public Source Code and Artifacts Analysis
Public Source Code and Artifacts Analysis
Public Repository Discovery
Static Code Analysis
Reverse Engineering
Reverse Engineering
Reverse Engineering
Binary Disassembly
Protocol Analysis
Resource Development
Resource Development
Compromised Code Signing and Build Infrastructure
Compromised Code Signing and Build Infrastructure
Compromised Code Signing and Build Infrastructure
Build Pipeline Manipulation
Build Script Tampering
Third‑Party Dependency Poisoning
Third‑Party Dependency Poisoning
Third‑Party Dependency Poisoning
Backdoored Open-Source Libraries
Dependency Confusion
Typosquatting Dependencies
Develop Capabilities
Develop Capabilities
Develop Capabilities
Malware
Exploits
Obtain Capabilities
Obtain Capabilities
Obtain Capabilities
Malware
Exploits
Tool
Vulnerabilities
Acquisition of Stolen Keys & Credentials
Gain Access
Gain Access
Supply Chain Compromise
Supply Chain Compromise
Supply Chain Compromise
Build Environment Poisoning
Compromise Software Dependencies and Development Tools
Compromise Software Supply Chain
Container Registry Poisoning
Dependency Hijacking
Software Update Manipulation
Content Injection
Content Injection
Content Injection
Man-on-the-Side Injection
Man-in-the-Middle Injection
Protocol Exploitation
Service Standard APIs
Service Standard APIs
Service Standard API
Valid Accounts
Valid Accounts
Valid Accounts
Cloud Accounts
Default Accounts
Valid Tokens
External Remote Services
External Remote Services
External Remote Services
Exposed Gateway
Exposed Kubernetes API
SSH Access
Unauthenticated Administration Interfaces
Authentication Bypass
Authentication Bypass
Authentication Bypass
OAuth Flow Manipulation
Password Brute Forcing
Race Condition Exploitation
SQL Injection
Payload Execution
Payload Execution
Remote Code Execution Exploitation
Remote Code Execution Exploitation
Remote Code Execution Exploitation
Dynamic Code Evaluation
Memory Buffer Overflow
Memory Pointer Manipulation
Insecure Deserialization Exploitation
Execution Using Standard Applicative Flow
Execution Using Standard Applicative Flow
Execution Using Standard Applicative Flow
Injection Exploitations
Injection Exploitations
Injection Exploitations
OS Command Injection
Arbitrary File Write Exploitation
LDAP Injection
XML Injection
XXE Injection
ONGL Injection
CRLF Injection
Template Injection
SQL Injection
NoSQL Injection
Expression Language Injection
Deepening Control
Deepening Control
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Exploitation for Privilege Escalation
Capabilities Abuse
CPU and GPU Exploitation
Kernel Exploitation
SUID and GUID Abuse
Symlink Attack
TOCTOU (Time-of-Check-to-Time-of-Use)
Exploitation for Defense Evasion
Exploitation for Defense Evasion
Exploitation for Defense Evasion
Hijacking
Injection
Proc Memory
Ptrace System Calls
Shared Library
Reflective Code Loading
Thread Execution
Scheduled Task
Scheduled Task
Scheduled Task
At
Container
Cron
Orchestration Job
Systemd Timers
Disable Runtime Protection Service
Disable Runtime Protection Service
Disable Runtime Protection Service
Bypassing Security Hooks
Configuration Tampering
Service Downgrade
Service Termination
C2 over App‑Protocols
C2 over App‑Protocols
C2 over App‑Protocols
DNS Protocols
File Transfer Protocols
Web Protocols
Masquerading
Masquerading
Masquerading
Break Process Trees
Match Legitimate Name or Location
Implant Internal Image
Implant Internal Image
Implant Internal Image
Server Software Component
Server Software Component
Server Software Component
SQL Stored Procedures
Web Shell
Expanding Control
Expanding Control
Cloud Service Discovery
Cloud Service Discovery
Cloud Service Discovery
API-based Resource Listing
Open-source discovery tools
Exploitation for Credential Access
Exploitation for Credential Access
Exploitation for Credential Access
Stealing Tokens
Memory Exploitation for Credential Extraction
Exploitation of Remote Services
Exploitation of Remote Services
Exploitation of Remote Services
API Misconfiguration Exploitation
Service‑to‑Service Trust Abuse
Service‑to‑Service Trust Abuse
Service‑to‑Service Trust Abuse
Overprivileged Service Account Exploitation
Token Replay or Reuse Attacks
Impact
Impact
Service Disruption
Service Disruption
Service Disruption
Denial of Service (DoS) Attacks
Resource Starvation
System Shutdown and Reboot
Traffic Flooding
Data Destruction
Data Destruction
Data Destruction
Backup Destruction or Tampering
Data Corruption via Overwriting
File or Database Record Deletion
Lifecycle-Triggered Deletion
Data Encryption
Data Encryption
Data Encryption
Data Exfiltration
Data Exfiltration
Data Exfiltration
Business Logic Manipulation
Business Logic Manipulation
Business Logic Manipulation
Resource Hijacking
Resource Hijacking
Resource Hijacking
Bandwidth Hijacking
Compute Hijacking
Cryptomining
Data Manipulation
Data Manipulation
Data Manipulation
Runtime Data Manipulation
Transmitted Data Manipulation
Defacement
Defacement
Defacement
Replacement
Website Content
Financial Theft
Financial Theft
Financial Theft
Attacks
About
Contributors
List of Contributors
T.B.D
Back to top