25

I have difficulties to pinpoint the difference between attack vector / attack surface / vulnerability and exploit.

I think the difference between a vulnerability and an exploit is the following: A vulnerability is something that could get used to do harm (e.g. a buffer overflow), but does not necessarily mean that anything can be done. An exploit makes use of a vulnerability in a "productive" way (e.g. reading the following bytes in memory after triggering an error message).

According to Wikipedia (vulnerability)

To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

So attack surface and vulnerability seem to be synonyms in the context of IT security (?)

Could anybody please define the words or give examples for the difference between them?

Improve this question

3 Answers 3

Reset to default
27

All 4 terms are very different:

Describes the Attack:

  • Attack Vector: the 'route' by which an attack was carried out. SQLi is typically carried out using a browser client to the web application. The web application is the attack vector (possibly also the Internet, the client application, etc.; it depends on your focus).
  • Exploit: the method of taking advantage of a vulnerability. The code used to send SQL commands to a web application in order to take advantage of the unsanitized user inputs is an 'exploit'.

Describes the Target:

  • Attack Surface: describes how exposed one is to attacks. Without a firewall to limit how many ports are blocked, then your 'attack surface' is all the ports. Blocking all ports but port 80 reduces your 'attack surface' to a single port.
  • Vulnerability: a weakness that exposes risk. Unsantitized user inputs can pose a 'vulnerability' by a SQLi method.

We can also look at this from the perspective of a user as the target. An attacker sends an infected PDF as an email attachment to a user. The user opens the PDF, gets infected, and malware is installed. The 'attack vector' was email, the 'exploit' was the code in the PDF, the 'vulnerability' is the weakness in the PDF viewer that allowed for code execution, the 'attack surface' is the user and email system.

Improve this answer
6
  • 7
    I can use these terms in a sentence: "This attack used a pdf email attachment as an attack vector to exploit a known vulnerability in Adobe Reader. The attack surface is every workstation running Adobe Reader version X". Commented Jun 4, 2015 at 20:25
  • 1
    great minds think alike - we came up with the pdf example at the same time :) Commented Jun 4, 2015 at 20:26
  • haha, we both posted the pdf email attachment idea at the same time! Commented Jun 4, 2015 at 20:26
  • 1
    jinx, jinx! you owe me a Coke .... Commented Jun 4, 2015 at 20:26
  • 2
    In my mind, "attack vector" is a synonym for "delivery method", which emphasizes that the attack vector and the exploit are two very different things. One is simply a carrier for the other. Commented Jun 4, 2015 at 20:35
2

This is true to the best of my knowledge, however I believe some might have slight improvements on the wording:

  • The attack vector is the "type" of the attack, its what allows the attacker to succeed.
  • The attack surface is how many endpoints can be attacked, for example if you are targeting a website, with a scripting language (PHP/Node...), and a Database (MySql/Postgre...), the attack surface is greater than if you are targeting a single static page with no dynamic content and no database.
  • A vulnerability is a weakness in a system which may be used to alter the intended behavior of the system, sometimes they allow memory dumps, sometimes they allow impersonating a user...
  • and an exploit is the tool used to carry on an attack.
Improve this answer
2
  • So the attack vector might be "sql injection" and the exploit is then the browser? I thought in case of sql injections the exploit would be "unsantized user data" or something like this? Commented Jun 4, 2015 at 13:06
  • 1
    You don't have all the terms available for every scenario, and sometimes the words are interchangeable, but not always. It would be sufficient to say sqil injection was the attack vector, or that they exploited a faulty implementation/code with sql injections. An exploit doesn't have to be a tool either, it can be a single line of code. Commented Jun 4, 2015 at 13:10
1

Based on my understanding and by considering a simple web application as testing environment, I can see the relation between them as below:

Attack surface is used to identify the components/parts of the system/web that may contain any vulnerabilities, (e.g. web application authentication function)

Vulnerability assessment applies on identified component/part (authentication) that found in attack surfaces step in order to find vulnerabilities (e.g. no input validation)

Attack vector (types of attacks) refers to identifying which attack(s) can be done, based on identified vulnerabilities (no input validation) such as SQLI, XSS, FI,..etc

Exploitation is refereed to launching the attack(s) (e.g. SQLI attack, XSS attack, FI attack, ..etc) against identified vulnerability (no input validation) in order to get access to the data or system on the victim machine.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.