Attack vector, attack surface, vulnerability, exploit: Where is the difference?
All 4 terms are very different:
Describes the Attack:
- Attack Vector: the 'route' by which an attack was carried out. SQLi is typically carried out using a browser client to the web application. The web application is the attack vector (possibly also the Internet, the client application, etc.; it depends on your focus).
- Exploit: the method of taking advantage of a vulnerability. The code used to send SQL commands to a web application in order to take advantage of the unsanitized user inputs is an 'exploit'.
Describes the Target:
- Attack Surface: describes how exposed one is to attacks. Without a firewall to limit how many ports are blocked, then your 'attack surface' is all the ports. Blocking all ports but port 80 reduces your 'attack surface' to a single port.
- Vulnerability: a weakness that exposes risk. Unsantitized user inputs can pose a 'vulnerability' by a SQLi method.
We can also look at this from the perspective of a user as the target. An attacker sends an infected PDF as an email attachment to a user. The user opens the PDF, gets infected, and malware is installed. The 'attack vector' was email, the 'exploit' was the code in the PDF, the 'vulnerability' is the weakness in the PDF viewer that allowed for code execution, the 'attack surface' is the user and email system.
This is true to the best of my knowledge, however I believe some might have slight improvements on the wording:
- The attack vector is the "type" of the attack, its what allows the attacker to succeed.
- The attack surface is how many endpoints can be attacked, for example if you are targeting a website, with a scripting language (PHP/Node...), and a Database (MySql/Postgre...), the attack surface is greater than if you are targeting a single static page with no dynamic content and no database.
- A vulnerability is a weakness in a system which may be used to alter the intended behavior of the system, sometimes they allow memory dumps, sometimes they allow impersonating a user...
- and an exploit is the tool used to carry on an attack.