Vulnerability Assessor Skill
Purpose
This skill provides deep analysis of security vulnerabilities, evaluating exploitability, assessing business impact, calculating risk scores, and providing detailed remediation strategies.
When to Use
- •After security scanning identifies vulnerabilities
- •Need to prioritize security findings
- •Assessing exploitability of vulnerabilities
- •Calculating CVSS scores
- •Creating remediation roadmaps
- •Risk assessment for security issues
Assessment Workflow
1. Vulnerability Classification
Categorize by Type:
Injection Vulnerabilities:
- •SQL Injection (SQLi)
- •Command Injection
- •Code Injection
- •LDAP Injection
- •XPath Injection
- •NoSQL Injection
- •OS Command Injection
Broken Authentication:
- •Weak password policies
- •Session fixation
- •Credential stuffing vulnerabilities
- •Insecure authentication tokens
- •Missing MFA
Sensitive Data Exposure:
- •Unencrypted data in transit
- •Unencrypted data at rest
- •Exposed credentials
- •PII leakage
- •API keys in code
XML External Entities (XXE):
- •XML parsing vulnerabilities
- •External entity injection
- •DTD injection
Broken Access Control:
- •Insecure direct object references (IDOR)
- •Missing authorization checks
- •Privilege escalation
- •CORS misconfiguration
Security Misconfiguration:
- •Default credentials
- •Unnecessary features enabled
- •Error messages leaking information
- •Missing security headers
Cross-Site Scripting (XSS):
- •Reflected XSS
- •Stored XSS
- •DOM-based XSS
Insecure Deserialization:
- •Pickle in Python
- •Unsafe YAML loading
- •JSON deserialization issues
Using Components with Known Vulnerabilities:
- •Outdated dependencies
- •Unpatched libraries
- •Known CVEs
Insufficient Logging & Monitoring:
- •Missing security event logging
- •No alerting on suspicious activity
- •Inadequate audit trails
Deliverable: Categorized vulnerability list
2. Exploitability Assessment
Evaluate Ease of Exploitation:
Easy (High Exploitability):
- •Publicly available exploits
- •No authentication required
- •Automated tools can exploit
- •Simple proof of concept
- •Wide attack surface
Medium Exploitability:
- •Requires some technical knowledge
- •Authentication needed but weak
- •Manual exploitation required
- •Specific conditions must be met
- •Limited attack surface
Hard (Low Exploitability):
- •Deep technical expertise required
- •Strong authentication needed
- •Complex exploitation chain
- •Rare conditions required
- •Very limited attack surface
Assessment Criteria:
- •Attack vector (Network, Adjacent, Local, Physical)
- •Attack complexity (Low, High)
- •Privileges required (None, Low, High)
- •User interaction (None, Required)
- •Available exploit code
- •Known exploitation in the wild
Deliverable: Exploitability rating for each vulnerability
3. Impact Analysis
Assess Business Impact:
Confidentiality Impact:
- •None: No information disclosure
- •Low: Minimal sensitive data exposed
- •High: Significant sensitive data exposed (PII, credentials, business secrets)
Integrity Impact:
- •None: No data modification
- •Low: Limited data modification
- •High: Significant data can be modified/deleted
Availability Impact:
- •None: No service disruption
- •Low: Minimal performance degradation
- •High: Service can be completely disrupted (DoS)
Business Impact Examples:
Critical Business Impact:
- •Customer data breach
- •Financial fraud
- •Regulatory compliance violation
- •Brand reputation damage
- •Complete service outage
High Business Impact:
- •Internal data exposure
- •Service degradation
- •Limited compliance issues
- •Moderate reputation risk
Medium Business Impact:
- •Information disclosure (non-sensitive)
- •Temporary service issues
- •Minor compliance concerns
Low Business Impact:
- •Minimal data exposure
- •No service impact
- •Best practice violations
Deliverable: Impact assessment for each vulnerability
4. CVSS Scoring
Calculate CVSS v3.1 Score:
Base Metrics:
- •
Attack Vector (AV):
- •Network (N): 0.85
- •Adjacent (A): 0.62
- •Local (L): 0.55
- •Physical (P): 0.2
- •
Attack Complexity (AC):
- •Low (L): 0.77
- •High (H): 0.44
- •
Privileges Required (PR):
- •None (N): 0.85
- •Low (L): 0.62 (0.68 if scope changed)
- •High (H): 0.27 (0.50 if scope changed)
- •
User Interaction (UI):
- •None (N): 0.85
- •Required (R): 0.62
- •
Scope (S):
- •Unchanged (U)
- •Changed (C)
- •
Confidentiality Impact (C):
- •None (N): 0.0
- •Low (L): 0.22
- •High (H): 0.56
- •
Integrity Impact (I):
- •None (N): 0.0
- •Low (L): 0.22
- •High (H): 0.56
- •
Availability Impact (A):
- •None (N): 0.0
- •Low (L): 0.22
- •High (H): 0.56
CVSS Score Ranges:
- •0.0: None
- •0.1-3.9: Low
- •4.0-6.9: Medium
- •7.0-8.9: High
- •9.0-10.0: Critical
Example CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Score: 9.8 (Critical)
Use CVSS Calculator:
# If available, use online calculator: # https://www.first.org/cvss/calculator/3.1
Deliverable: CVSS score and vector for each vulnerability
5. Risk Prioritization
Risk Matrix:
| Severity | Exploitability | Priority | SLA |
|---|---|---|---|
| Critical | Easy | P0 | 24 hours |
| Critical | Medium | P0 | 24 hours |
| Critical | Hard | P1 | 7 days |
| High | Easy | P0 | 24 hours |
| High | Medium | P1 | 7 days |
| High | Hard | P2 | 30 days |
| Medium | Easy | P2 | 30 days |
| Medium | Medium | P2 | 30 days |
| Medium | Hard | P3 | 90 days |
| Low | Any | P3 | 90 days |
Priority Definitions:
- •P0: Emergency - Fix immediately
- •P1: Urgent - Fix this week
- •P2: Important - Fix this month
- •P3: Normal - Schedule for next release
Additional Risk Factors:
- •Publicly disclosed vulnerability
- •Active exploitation in the wild
- •Compliance requirements (PCI-DSS, HIPAA, GDPR)
- •Customer-facing systems
- •Access to sensitive data
Deliverable: Prioritized vulnerability list with SLAs
6. Proof of Concept (Safe)
Demonstrate Impact (Safely):
SQL Injection Example:
Input: ' OR '1'='1 Expected: Authentication bypass or data exposure Actual: [observed behavior]
XSS Example:
Input: <script>alert('XSS')</script>
Expected: Script execution
Actual: [observed behavior]
Path Traversal Example:
Input: ../../etc/passwd Expected: Access to restricted files Actual: [observed behavior]
IMPORTANT:
- •Only demonstrate in test/dev environments
- •Never exploit production systems
- •Use safe payloads (alert, not actual malicious code)
- •Document all testing activity
- •Get authorization before testing
Deliverable: Safe proof of concept for high-priority vulnerabilities
7. Remediation Strategies
Provide Fix Recommendations:
SQL Injection:
# VULNERABLE
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# SECURE
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
Command Injection:
# VULNERABLE
os.system(f"ping {user_input}")
# SECURE
import subprocess
subprocess.run(["ping", "-c", "1", user_input], check=True)
XSS:
// VULNERABLE element.innerHTML = userInput; // SECURE element.textContent = userInput; // Or use DOMPurify for HTML element.innerHTML = DOMPurify.sanitize(userInput);
Weak Cryptography:
# VULNERABLE import hashlib hash = hashlib.md5(password.encode()).hexdigest() # SECURE from passlib.hash import argon2 hash = argon2.hash(password)
Insecure Deserialization:
# VULNERABLE import pickle data = pickle.loads(user_data) # SECURE import json data = json.loads(user_data)
Path Traversal:
# VULNERABLE
with open(f"/uploads/{filename}", 'r') as f:
content = f.read()
# SECURE
import os
safe_path = os.path.join("/uploads", os.path.basename(filename))
if not safe_path.startswith("/uploads/"):
raise ValueError("Invalid path")
with open(safe_path, 'r') as f:
content = f.read()
Remediation Strategy Components:
- •Immediate Fix: Quick patch to mitigate
- •Proper Fix: Correct implementation
- •Verification: How to test the fix
- •Prevention: How to avoid in future
- •Detection: How to catch similar issues
Deliverable: Detailed remediation guide for each vulnerability
8. Dependency Vulnerability Assessment
Assess Third-Party Dependencies:
Evaluate CVEs:
# Get CVE details curl https://nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-XXXXX # Check fix availability pip show <package-name> pip index versions <package-name>
Assessment Checklist:
- • CVE severity (CVSS score)
- • Affected versions
- • Fixed versions available
- • Upgrade path complexity
- • Breaking changes in fix
- • Workarounds available
- • Exploitation likelihood
Remediation Options:
- •Upgrade: Best option if available
- •Patch: Apply security patch
- •Workaround: Mitigate without upgrade
- •Replace: Use alternative package
- •Accept Risk: Document and monitor (rare)
Example Assessment:
### CVE-2024-12345 - requests package **Severity**: High (CVSS 7.5) **Affected**: requests < 2.31.0 **Current Version**: 2.28.0 **Fixed In**: 2.31.0 **Vulnerability**: SSRF via redirect handling **Exploitability**: Medium - Requires attacker to control redirect URLs - Application must follow redirects **Impact**: High - Can access internal network resources - Potential data exfiltration **Recommendation**: Upgrade to 2.31.0+ **Breaking Changes**: None **Upgrade Risk**: Low **Action**: Upgrade immediately (P1)
Deliverable: Dependency vulnerability assessment with upgrade plan
Assessment Report Format
# Vulnerability Assessment Report **Date**: [YYYY-MM-DD] **Assessed By**: Vulnerability Assessor **Scope**: [Application/Component] ## Executive Summary Total Vulnerabilities: [count] - Critical: [count] (P0: [count], P1: [count]) - High: [count] (P0: [count], P1: [count], P2: [count]) - Medium: [count] - Low: [count] Immediate Actions Required: [count] ## Detailed Assessments ### [Vulnerability ID] - [Title] **Category**: [OWASP Category] **Severity**: [Critical/High/Medium/Low] **CVSS Score**: [score] ([vector]) **Priority**: [P0/P1/P2/P3] **SLA**: [timeframe] **Location**: [file:line] **Description**: [What is the vulnerability] **Exploitability**: [Easy/Medium/Hard] [Rationale for exploitability rating] **Impact**: - Confidentiality: [None/Low/High] - Integrity: [None/Low/High] - Availability: [None/Low/High] - Business Impact: [description] **Proof of Concept**:
[Safe PoC]
**Remediation**: *Immediate Mitigation*: [Quick fix to reduce risk] *Proper Fix*: ```python [Code example]
Verification: [How to test fix works]
Prevention: [How to avoid in future]
References:
- •
- •
- •
Risk Summary
P0 - Immediate Action (24h)
- •[Vulnerability 1] - Critical SQL Injection
- •[Vulnerability 2] - Critical Authentication Bypass
P1 - This Week (7d)
- •[Vulnerability 3] - High XSS
- •[Vulnerability 4] - High IDOR
P2 - This Month (30d)
[List]
P3 - Next Release (90d)
[List]
Remediation Roadmap
Week 1:
- •Fix P0 items 1-2
- •Begin P1 items
Week 2:
- •Complete P1 items
- •Begin P2 items
Month 2-3:
- •Address P2 and P3 items
- •Implement preventive measures
Metrics
- •Total Risk Reduction: [estimated %]
- •Estimated Effort: [hours/days]
- •Dependencies: [blocking items]
Conclusion
[Overall assessment and next steps]
--- ## Best Practices **Assessment**: - Use consistent scoring methodology - Document all assumptions - Consider environmental factors - Account for compensating controls - Review with security team **Prioritization**: - Business context matters - Exploit availability increases priority - Compliance requirements elevate risk - Customer data > internal data - Authentication/authorization issues are critical **Remediation**: - Fix root cause, not symptoms - Defense in depth - multiple controls - Test fixes thoroughly - Document changes - Share lessons learned **Communication**: - Be clear and concise - Avoid fear-mongering - Provide actionable guidance - Educate developers - Track progress --- ## Integration with Security Workflow **Input**: Security scan results **Process**: Detailed vulnerability analysis and risk assessment **Output**: Prioritized remediation roadmap **Next Step**: OWASP compliance checking or implementation --- ## Remember - **Context is key**: Same vulnerability has different risk in different contexts - **Exploitability matters**: Critical vulnerability that's hard to exploit may be lower priority than high vulnerability that's easy to exploit - **Business impact drives priority**: Focus on what matters to the business - **Provide solutions**: Don't just identify problems - **Track to closure**: Ensure fixes are implemented and verified - **Learn from findings**: Use vulnerabilities to improve secure coding practices Your goal is to provide actionable security intelligence that enables effective risk-based remediation.