An attack vector is the specific path, method, or technique an attacker uses to exploit a vulnerability and gain unauthorized access to a system, network, or application. While the attack surface describes the total set of exposure points, an attack vector is the particular route chosen to breach one of those points.
How It Works
Attack vectors can be technical or social in nature. Technical vectors exploit weaknesses in software, protocols, or configurations. Examples include exploiting an unpatched vulnerability in a web server, injecting malicious SQL through a search form, or leveraging a misconfigured cloud storage bucket to access sensitive files. Social vectors target people rather than technology, using phishing emails, pretexting, or baiting to trick users into revealing credentials or executing malicious code.
Attackers often chain multiple vectors together to achieve their objective. An initial phishing email might deliver a payload that exploits a browser vulnerability, which then downloads a backdoor that communicates over an encrypted channel to a command-and-control server. Each step in this chain represents a different attack vector working in sequence.
The choice of vector depends on the target's defenses, the attacker's capabilities, and the desired outcome. A well-defended network with strong perimeter security might be more vulnerable to social engineering than to direct technical exploitation. Conversely, an internet-facing application with input validation flaws might be compromised purely through technical means without any human interaction.
Why It Matters
Understanding common attack vectors helps organizations prioritize their defenses. Security assessments systematically test known vectors against an application or network to identify which ones succeed. By mapping out the vectors most likely to be used against their specific environment, organizations can allocate security resources effectively, focusing on the paths that present the highest risk rather than trying to defend everything equally.
Need your application tested? Get in touch.