CAPEC-113: API Manipulation

API Manipulation


Typical_Severify: Medium



An adversary manipulates the use or processing of an Application Programming Interface (API) resulting in an adverse impact upon the security of the system implementing the API. This can allow the adversary to execute functionality not intended by the API implementation, possibly compromising the system which integrates the API. API manipulation can take on a number of forms including forcing the unexpected use of an API, or the use of an API in an unintended way. For example, an adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment.


ParentOf: CAPEC-121 | Exploit Test APIs

ParentOf: CAPEC-133 | Try All Common Switches

ParentOf: CAPEC-160 | Exploit Script-Based APIs

ParentOf: CAPEC-36 | Using Unpublished APIs


The target system must expose API functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges.


The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language.



227 | 履行API合约不恰当(API滥用)



2014-06-23 | CAPEC Content Team | The MITRE Corporation


2015-12-07 | CAPEC Content Team | The MITRE Corporation

Updated Attack_Prerequisites, Description Summary, Related_Attack_Patterns

2017-05-01 | CAPEC Content Team | The MITRE Corporation

Updated Activation_Zone, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Typical_Likelihood_of_Exploit