The attack complexity metric lists all conditions and prerequisites beyond the attacker's control but required in order to successfully exploit the vulnerability. For example, it might be possible that a particular vulnerability could only be exploited if a particular version of the application was deployed on a certain OS platform with some custom settings. If all these conditions were met, then only the vulnerability exploitation could be possible. For some other vulnerabilities, it might be possible to exploit it irrespective of the application version and the type of base operating system. Thus, the conditions and prerequisites add up to the attack complexity and vary from one vulnerability to the other:
|
Parameter |
Description |
Example |
|
Low |
No specific conditions or prerequisites exist that might hinder the attacker from successfully exploiting the vulnerable component repeatedly. |
Denial of service caused by sending specially crafted TCP packet |
|
High |
The success of the attack relies on specific conditions that are beyond the control of the attacker. Thus, the attacker cannot launch a successful attack whenever he wants and would need to put in considerable effort in preparing for the attack. |
Attacks involving random tokens, sequence numbers, and so on |