Contact Sales
Detectify EASM platform
  • Platform overview

    An overview of how Detectify sets a new standard for advanced application security testing

  • Surface Monitoring

    Our product that offers continuous monitoring of known and unknown Internet-facing assets

  • Application Scanning

    Our product that runs in-depth and unlimited scans on web applications for deeper coverage

Solutions by use case
Solutions by industry
  • Technology

    Solve common challenges faced by technology organizations

  • Consumer packaged goods

    Get more visibility and control over your digital products

  • Media & Gaming

    Manage digital transformation and secure what you're hosting in the cloud

  • Public Sector

    For agencies, higher education, and European governments

Start 2-week free trial Start 2-week free trial
Watch a demo Talk to sales
Detectify Crowdsource
  • What is Crowdsource?

    How Detectify customers benefit from our community of elite ethical hackers

  • Meet the community

    Meet some of our ethical hackers who come from all corners of the globe

  • Leaderboard

    See which ethical hackers are leading for the quarter, year, and all time

FOR ETHICAL HACKERS
  • Join Crowdsource

    Ready to join? Solve our Crowdsource Challenge and become part of our community

Start 2-week free trial
Watch a demo Talk to sales
Resource Center
  • All resources

    Explore case studies, webinars, e-books, whitepapers and videos

  • Case studies

    Learn how Detectify is an essential tool in these customer stories

  • Webinars

    Webinars and recordings to level up your AppSec knowledge

  • E-books & Whitepapers

    Browse and download e-books and whitepapers on AppSec and related topics

  • Events

    Register and browse for both online and in person events and webinars

  • Detectify Blog

    Read the latest product updates, news, industry insights and best practices

  • E-books & Whitepapers

    Browse and download e-books and whitepapers on AppSec and related topics

  • Events

    Register and browse for both online and in person events and webinars

  • Detectify Blog

    Read the latest product updates, news, industry insights and best practices

Trending Topics
Start 2-week free trial
Watch a demo Talk to sales
Products & Solutions Resources Crowdsource Partners Pricing About us
Products & Solutions
Platform overview Surface Monitoring Application Scanning
Solutions by use case Attack surface protection Prevent subdomain takeover Scaling organizations
Solutions by Industry Technology Consumer packaged goods Media & Gaming Public Sector
Start 2-week free trial
Watch a demo Talk to sales
Crowdsource
Detectify Crowdsource What is Crowdsource? Meet the community Leaderboard
For ethical hackers Ethical hacking with us How Crowdsource works Detectify Labs
Start 2-week free trial
Watch a demo Talk to sales
Resources
Resource Center All resources Case studies Webinars E-books & Whitepapers Events Detectify Blog
Trending Topics External Attack Surface Management Common attack vectors
Start 2-week free trial
Watch a demo Talk to sales

Common attack vectors in cybersecurity

A deep dive into defining attack vectors, what they are, the most common examples in cybersecurity, and how to mitigate against attack vectors.

1.

What is an attack vector?

2.

Cyber attack vector examples

3.

Minimizing danger from attack vectors

4.

Attack vector summary

Chapter 1

What is an attack vector?

1.

Defining attack vector

The attack vector in Internet security refers to an attacker's path, means, or route to exploit a vulnerability and break through the attack surface. Doing so gives them more information and access to a targeted system. Once in, the attacker can execute an action that should not be allowed, such as viewing or exfiltrating sensitive data or messing with the integrity of the content in the compromised system.

Difference between attack vector vs. attack surface

How are attack vectors and attack surfaces related? While the attack vector refers to the means or tactics used by an attacker to try to penetrate past an attack surface, the attack surface refers to any interface, physical or digital, where an attacker could try to enter their own input or deploy an attack vector to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks. Securing the external attack surface is a hot topic for security experts right now.

Some examples of attack surfaces include:

  • Middleware
  • Cloud storage
  • Web APIs
  • DNS, Domains and Subdomains
  • Emails
  • Routers
  • Web VPNs
  • Ports
  • Hosted apps, e.g., issue tracking tools
  • Frameworks
  • Github repo
  • Physical employee devices

How and why do hackers exploit attack vectors?

Every attacker approaches hacking their target in different ways. Depending on the information they’ve gathered through open-source intelligence and other reconnaissance, the types of attacks used to hack into the target will change. For instance, malicious hackers may use passive reconnaissance tools such as session capture to monitor vulnerabilities without interacting with them, traffic analysis, eavesdropping, and supervision. They might also use more active reconnaissance methods such as phishing and port scanning to engage with your target systems, launch DDoS attacks, target weak credentials, or infiltrate your systems with malware, unpatched vulnerabilities, and ransomware.

Related reads

A square with a link icon inside

The service desk as an attack vector

A square with a link icon inside

Common Nginx misconfigurations that leave your web server open to attack

A square with a link icon inside

How I hijacked the top-level domain of a sovereign state

A square with a link icon inside

DNS Hijacking – Taking Over Top-Level Domains and Subdomains

Chapter 2

Cyber attack vector examples

2.

Weak or Stolen credentials/credentials stuffing

A host's list of weak or stolen credentials and passwords can easily be purchased or gathered by an attacker and then misused for brute-forcing or credential stuffing attacks to get past a login interface. Examples of interface attack surfaces include:

  • Public user logins
  • Exposed web VPNs
  • Exposed remote desktop protocols
  • Email clients
  • Third-party software login

Contrary to some beliefs, the best practice here is not to always change passwords but to keep a password manager where you only need to memorize one complex and unique password and not reuse it over and over again.

Phishing

An attack vector that touches both web and physical attack surfaces because it leverages email or SMS to get a company insider to click on a malicious link. A successful phishing attempt then opens up access to the company’s network.

Most companies conduct security training to increase individual awareness for phishing attacks, and keeping it top of mind can help prevent these attacks from succeeding. In addition to training, assessing email configurations such as SPF/DMARC and DKIM records can reduce the chances of an attack.

Intercepting traffic

If your data is not encrypted correctly, attackers can eavesdrop on your traffic to steal sensitive user data such as usernames, passwords, and credit card credentials. Stolen session cookies could be leveraged further in a chain of vulnerabilities by attackers.

Even though Google reports that 95% of Google traffic is encrypted with HTTPS, attackers still have chances to listen in via man-in-the-middle attacks such as dodgy Wi-Fi connections or bypass CORS and post messages. Such vulnerabilities in websites and other encryption issues can be detected and assessed with the help of external attack surface management tools.

Accidentally exposed assets on the internet

The constant acceleration towards digitalization and remote work culture has accelerated cybersecurity attacks and incidents, with 67% reported attacks targeting remote workers. Work is no longer limited to a secured work network, forcing organizations to provide employees access to, for example, remote desktop protocols and web login interfaces. In 2020, threat actors were exploiting exposed Microsoft Remote Desktop Protocol (RDP) servers that were suddenly online because of the necessity of remote work access.

If an attacker locates a team member's access point, they could exploit this exposure using stolen user login details or brute-forcing. As a result, activating multi-factor authentication is recommended to add an extra layer of security for the attacker to overcome.

With employees working outside of the physical workplace perimeters and using unsecured WiFi networks, hacking incidents and accidental exposure of critical business ports and other internal environments are increasing. Having an asset discovery tool that will crawl the cloud environment and ports to help map out what is exposed can go a long way towards securing the entire organizational network. Read more tips on securing remote work.

Related reads

A square with a link icon inside

How I made LastPass give me all your passwords

Subdomain takeover

Subdomain takeover happens when an attacker gains control over a subdomain of a target. This can be done when a subdomain is pointing to a third-party provider that is no longer in use - seeing that, an attacker can register another non-existing domain name on the third-party service and hijack the subdomain.

Subdomains are not limited to the attack surface an organization has direct control of, such as internal domains and apps you build, but can also include external attackable points. A subdomain takeover can be particularly problematic because subdomains aren’t always closely guarded assets, which means they can go undetected for some time.

Hostile subdomain takeover is a term coined by Detectify Security Researchers whereby an attacker registers and claims ownership of a subdomain that has been forgotten or abandoned by the original site owner. The following graphic demonstrates a likely scenario of how this can happen:

Zero-day attacks

A zero-day(0-day) is a unique attack vector that exploits a vulnerability in software that the technology creator is unaware of, which means there is no fix or patch at the time of discovery. As soon as the vendor is aware of the issue, it’s a race against time to remediate and roll out the patch to affected users. Discovering and developing zero-day vulnerabilities is an industry in itself and controversial among cybersecurity experts.

Finding a zero-day is probably one of the most coveted achievements for a hacker, and Detectify receives this class of submissions through Detectify Crowdsource, our community of ethical hackers. When we receive zero-days from a Crowdsource hacker, we work with the ethical hacker and vendor to ensure the disclosure is responsible. The vendor has 45 days to patch the vulnerability, and we work together to develop the security module that goes into the Detectify scanning engines. Learn more about how Detectify handles zero-day submissions.

Social engineering

Social engineering attacks are the art of using psychological manipulation to get you to divulge confidential information or perform a specific action to give access to bad actors. It includes everything from persuading victims to visit a website with a malicious payload (a common practice in XSS and CSRF exploits) to gaining access to a company’s office and hacking on-site. Attackers have even taken to Facebook Messenger with a combination of social engineering and malicious JavaScript to spread adware.

Social engineering goes hand in hand with hacking - malicious hackers are often skilled in the art of social engineering. Following tips to protect yourself from social engineering, such as verifying the source and keeping a tab on your attack surface, is key to protecting yourself.

Denial-of-service attack (DoS attack)

A denial-of-service (DoS) attack occurs when users cannot access information systems, devices, or other network resources due to a malicious actor. Websites, emails, and online accounts are just some of the services that can be affected. Anything that relies on an affected computer or network is at risk.

A DoS attack is accomplished by flooding the targeted host or network with traffic until the target cannot respond or crashes, preventing access for legitimate users. The consequences of DoS attacks for organizations can be severe, not just time and money but also resources needed to rectify the issues and inaccessible services for users.

Malicious insiders

A malicious insider is often an employee that exposes or exploits vulnerabilities at their workplace and is usually found in a role that gives them access to sensitive data and information. According to Verizon's 2021 Data Breach Investigation Report, internal actors caused 36% of all data breaches experienced by large organizations in 2020.

Top 10 Web Application Security Risks from OWASP

(OWASP Top 10 for 2021)

  1. Broken Access Control
  2. Cryptographic Failures (formerly known as Sensitive Data Exposure)
  3. Injection (Cross-site Scripting - XSS) is now part of this category in the 2021 edition)
  4. Insecure Design (a new category for 2021, with a focus on risks related to design flaws)
  5. Security Misconfiguration (the former category for XML External Entities - XXE is now part of this category)
  6. Vulnerable and Outdated Components (formerly known as Using Components with Known Vulnerabilities)
  7. Identification and Authentication Failures (previously Broken Authentication)
  8. Software and Data Integrity Failure (a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity)
  9. Security Logging and Monitoring Failures (previously Insufficient Logging & Monitoring)
  10. Server-Side Request Forgery

Related reads

A square with a link icon inside

Crowdsource hacker first to find Zero-Day CVE-2021-43798 in Grafana

A square with a link icon inside

How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs

Chapter 3

Minimizing danger from attack vectors

3.

How do you detect attack vectors on your web apps?

An attack vector on its own is not a vulnerability or at least not exploitable until proven so. From a hacker's point of view, something has to happen for an attack vector to be viable — for example, a misconfigured S3 bucket, a spoofable email domain, or an unclaimed subdomain.

Detectify Discovery light bulb graphic
Discover

What internet-facing assets do I have?

To find potential attack vectors, you need to understand what technology your organization uses that could be compromised, alongside any other available critical information. Tools like Detectify call this the first step, i.e., the "Discovery" phase.

By mapping out all of the assets belonging to your DNS records, you'll discover both known and unknown public-facing assets you have. Grammarly, a Detectify customer, had the difficult task of creating an inventory of its product offerings and applications. They were about to build their own and then discovered Detectify, which has provided Grammarly with an effortless discovery and alerting system for vulnerabilities in their system.

Detectify Assess magnifier graphic
Assess

What vulnerabilities or anomalies do I have?

Once the "Discovery" phase or information gathering is complete, you must look into the relevant attack vectors that could be chained together to exploit the possible vulnerabilities. This is called the "Assessment" phase.

Here you will need access to automated security tests that can keep up with the pace of exploit development. Working directly with ethical hackers can prove to be advantageous. They can provide testing that looks for unique vulnerabilities in software and technologies companies rely on daily, like AWS and other cloud technologies.

Photobox is one customer that benefits from using Detectify Crowdsource ethical hackers. The organization understood that crowdsourced ethical hacking research could far outpace open source tools. The combination of new research and automation from Detectify is a vital part of Photobox's security setup.

How do we apply “Prioritize” and “Remediate” to attack vectors at Detectify?

When vulnerabilities are assessed and identified, the next step entails prioritizing them with internal risk assessments based on CVSS scoring or other frameworks. Of course, finding and prioritizing vulnerabilities is far from enough, and action needs to be taken to prevent the most harmful and risky ones from causing too much damage.

Fortunately, we've got you covered. Detectify leverages automation and the expertise of its ethical hacking community to help discover weaknesses in your organization's external attack surface and tech stacks. AppSec tools like Detectify assists customers in mapping out the technologies discoverable by attackers and simulates automated hacking using attack vectors or payloads provided by a community of 400 ethical hackers.

Detectify has produced high-quality results with zero false positives, which is a significant advantage for Bühler
Patrick Zimmermann, Information Security Manager, Bühler Group
Chapter 4

Attack vector summary

4.

This ultimate guide to common attack vectors in cybersecurity has offered insights into what an attack vector is, examples of cyber attack vectors, and how you and your organization can minimize the danger of potential attack vectors.

Many external attack surface management tools stop at the "Discovery" phase of assets. Tools like Detectify go further by combining monitoring of assets with vulnerability scanning to help organizations with the next steps in protecting their attack surfaces. We give you the most accurate information about your attack surface as things change and help you and your organization decipher the most critical and crucial vulnerabilities to prioritize.

The only way to secure your attack surface is to hack it, and that's why Detectify uses the ethical hacker community to collaborate on research and methodology.

Start vulnerability testing to find exploitable anomalies across your attack surface with Surface Monitoring and Application Scanning.

Surface Monitoring

Surface Monitoring runs assessment by continuously scanning for vulnerabilities across your attack surface. Starting at the domain level, it discovers and monitors assets you may not even be aware of. View product details.

Application Scanning

Application Scanning goes beyond the capabilities of "traditional" DAST scanners. It leverages proprietary engines for crawling, fuzzing, authentication, and payload-based testing. View product details.

See the power of automated ethical hacker knowledge

Instantly secure your web applications with Detectify. Get started easily by trying both Application Scanning and Surface Monitoring for free.

Start 2-week free trial

Or would you rather speak with a sales rep?

Schedule a demo Graphic Arrow