2

In CVSS version 3, there are four different attack vectors. I am not able to differentiate between local and physical.

Say, if I want to report "absence of logout button" I will use physical as access vector. In which cases can I use local as access vector? Please try to reference web application based vulnerabilities.

sampablokuper
  • 1,961
  • 1
  • 19
  • 33
one
  • 1,781
  • 3
  • 18
  • 45

1 Answers1

7

An issue of "absence of logout button" is absolutely not a physical vector. Physical means you have direct physical access to the server, as in you're standing right in front of it. A more appropriate one for "physical" would be a lack of full-disk encryption, since physical access in the context of server theft would result in an attacker getting hold of the data on the disk.

Local means you have a login session to the system. An example of such an issue might be a service binary with poor file permissions, allowing a local privilege escalation.

Adjacent means you're on the same network segment as the server, which is applicable for attacks such as ARP spoofing, where you need to be on the same subnet.

Remote, as the name suggests, is any case where you're on a remote network.

You should keep in mind that CVSS vectors are mostly not tailored for web applications; most if not all of your issues should be marked as remote vector.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Thanks for the answer. Now I have a query regarding 'absence of logout button'. If I want to exploit this vulnerability, don't I need to access the victim's laptop? I am considering the case- it is a public computer and the person just closed the tab and left. Somebody else comes up and open the URL again. He gets the access. – one Jun 01 '16 at 09:39
  • @Ruchir No, the issue of no logout button is that the user can't destroy their session, so if you steal a session ID somehow (you don't need to be local to do this) even *after* they leave the site, you can use it. – Polynomial Jun 01 '16 at 10:00
  • I understood what you said. So if I consider, 'improper cache mechanism' where a few pages containing sensitive info is getting stored in the browser. In this case, it should be physical? Or not even in this one. – one Jun 01 '16 at 10:47
  • @Ruchir No, that would be local, since you only need to have interactive access to the OS for that one. Think of physical as hardware attacks. – Polynomial Jun 01 '16 at 10:53