Vulnerability Assessor Skill

Purpose

This skill provides deep analysis of security vulnerabilities, evaluating exploitability, assessing business impact, calculating risk scores, and providing detailed remediation strategies.

When to Use

• After security scanning identifies vulnerabilities
• Need to prioritize security findings
• Assessing exploitability of vulnerabilities
• Calculating CVSS scores
• Creating remediation roadmaps
• Risk assessment for security issues

Assessment Workflow

1. Vulnerability Classification

Categorize by Type:

Injection Vulnerabilities:

• SQL Injection (SQLi)
• Command Injection
• Code Injection
• LDAP Injection
• XPath Injection
• NoSQL Injection
• OS Command Injection

Broken Authentication:

• Weak password policies
• Session fixation
• Credential stuffing vulnerabilities
• Insecure authentication tokens
• Missing MFA

Sensitive Data Exposure:

• Unencrypted data in transit
• Unencrypted data at rest
• Exposed credentials
• PII leakage
• API keys in code

XML External Entities (XXE):

• XML parsing vulnerabilities
• External entity injection
• DTD injection

Broken Access Control:

• Insecure direct object references (IDOR)
• Missing authorization checks
• Privilege escalation
• CORS misconfiguration

Security Misconfiguration:

• Default credentials
• Unnecessary features enabled
• Error messages leaking information
• Missing security headers

Cross-Site Scripting (XSS):

• Reflected XSS
• Stored XSS
• DOM-based XSS

Insecure Deserialization:

• Pickle in Python
• Unsafe YAML loading
• JSON deserialization issues

Using Components with Known Vulnerabilities:

• Outdated dependencies
• Unpatched libraries
• Known CVEs

Insufficient Logging & Monitoring:

• Missing security event logging
• No alerting on suspicious activity
• Inadequate audit trails

Deliverable: Categorized vulnerability list

---

2. Exploitability Assessment

Evaluate Ease of Exploitation:

Easy (High Exploitability):

• Publicly available exploits
• No authentication required
• Automated tools can exploit
• Simple proof of concept
• Wide attack surface

Medium Exploitability:

• Requires some technical knowledge
• Authentication needed but weak
• Manual exploitation required
• Specific conditions must be met
• Limited attack surface

Hard (Low Exploitability):

• Deep technical expertise required
• Strong authentication needed
• Complex exploitation chain
• Rare conditions required
• Very limited attack surface

Assessment Criteria:

• Attack vector (Network, Adjacent, Local, Physical)
• Attack complexity (Low, High)
• Privileges required (None, Low, High)
• User interaction (None, Required)
• Available exploit code
• Known exploitation in the wild

Deliverable: Exploitability rating for each vulnerability

---

3. Impact Analysis

Assess Business Impact:

Confidentiality Impact:

• None: No information disclosure
• Low: Minimal sensitive data exposed
• High: Significant sensitive data exposed (PII, credentials, business secrets)

Integrity Impact:

• None: No data modification
• Low: Limited data modification
• High: Significant data can be modified/deleted

Availability Impact:

• None: No service disruption
• Low: Minimal performance degradation
• High: Service can be completely disrupted (DoS)

Business Impact Examples:

Critical Business Impact:

• Customer data breach
• Financial fraud
• Regulatory compliance violation
• Brand reputation damage
• Complete service outage

High Business Impact:

• Internal data exposure
• Service degradation
• Limited compliance issues
• Moderate reputation risk

Medium Business Impact:

• Information disclosure (non-sensitive)
• Temporary service issues
• Minor compliance concerns

Low Business Impact:

• Minimal data exposure
• No service impact
• Best practice violations

Deliverable: Impact assessment for each vulnerability

---

4. CVSS Scoring

Calculate CVSS v3.1 Score:

Base Metrics:

1. Attack Vector (AV):

   • Network (N): 0.85
   • Adjacent (A): 0.62
   • Local (L): 0.55
   • Physical (P): 0.2

2. Attack Complexity (AC):

   • Low (L): 0.77
   • High (H): 0.44

3. Privileges Required (PR):

   • None (N): 0.85
   • Low (L): 0.62 (0.68 if scope changed)
   • High (H): 0.27 (0.50 if scope changed)

4. User Interaction (UI):

   • None (N): 0.85
   • Required (R): 0.62

5. Scope (S):

   • Unchanged (U)
   • Changed (C)

6. Confidentiality Impact (C):

   • None (N): 0.0
   • Low (L): 0.22
   • High (H): 0.56

7. Integrity Impact (I):

   • None (N): 0.0
   • Low (L): 0.22
   • High (H): 0.56

8. Availability Impact (A):

   • None (N): 0.0
   • Low (L): 0.22
   • High (H): 0.56

CVSS Score Ranges:

• 0.0: None
• 0.1-3.9: Low
• 4.0-6.9: Medium
• 7.0-8.9: High
• 9.0-10.0: Critical

Example CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score: 9.8 (Critical)

Use CVSS Calculator:

# If available, use online calculator:
# https://www.first.org/cvss/calculator/3.1

Deliverable: CVSS score and vector for each vulnerability

---

5. Risk Prioritization

Risk Matrix:

Severity	Exploitability	Priority	SLA
Critical	Easy	P0	24 hours
Critical	Medium	P0	24 hours
Critical	Hard	P1	7 days
High	Easy	P0	24 hours
High	Medium	P1	7 days
High	Hard	P2	30 days
Medium	Easy	P2	30 days
Medium	Medium	P2	30 days
Medium	Hard	P3	90 days
Low	Any	P3	90 days

Priority Definitions:

• P0: Emergency - Fix immediately
• P1: Urgent - Fix this week
• P2: Important - Fix this month
• P3: Normal - Schedule for next release

Additional Risk Factors:

• Publicly disclosed vulnerability
• Active exploitation in the wild
• Compliance requirements (PCI-DSS, HIPAA, GDPR)
• Customer-facing systems
• Access to sensitive data

Deliverable: Prioritized vulnerability list with SLAs

---

6. Proof of Concept (Safe)

Demonstrate Impact (Safely):

SQL Injection Example:

Input: ' OR '1'='1
Expected: Authentication bypass or data exposure
Actual: [observed behavior]

XSS Example:

Input: <script>alert('XSS')</script>
Expected: Script execution
Actual: [observed behavior]

Path Traversal Example:

Input: ../../etc/passwd
Expected: Access to restricted files
Actual: [observed behavior]

IMPORTANT:

• Only demonstrate in test/dev environments
• Never exploit production systems
• Use safe payloads (alert, not actual malicious code)
• Document all testing activity
• Get authorization before testing

Deliverable: Safe proof of concept for high-priority vulnerabilities

---

7. Remediation Strategies

Provide Fix Recommendations:

SQL Injection:

# VULNERABLE
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# SECURE
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

Command Injection:

# VULNERABLE
os.system(f"ping {user_input}")

# SECURE
import subprocess
subprocess.run(["ping", "-c", "1", user_input], check=True)

XSS:

// VULNERABLE
element.innerHTML = userInput;

// SECURE
element.textContent = userInput;
// Or use DOMPurify for HTML
element.innerHTML = DOMPurify.sanitize(userInput);

Weak Cryptography:

# VULNERABLE
import hashlib
hash = hashlib.md5(password.encode()).hexdigest()

# SECURE
from passlib.hash import argon2
hash = argon2.hash(password)

Insecure Deserialization:

# VULNERABLE
import pickle
data = pickle.loads(user_data)

# SECURE
import json
data = json.loads(user_data)

Path Traversal:

# VULNERABLE
with open(f"/uploads/{filename}", 'r') as f:
    content = f.read()

# SECURE
import os
safe_path = os.path.join("/uploads", os.path.basename(filename))
if not safe_path.startswith("/uploads/"):
    raise ValueError("Invalid path")
with open(safe_path, 'r') as f:
    content = f.read()

Remediation Strategy Components:

1. Immediate Fix: Quick patch to mitigate
2. Proper Fix: Correct implementation
3. Verification: How to test the fix
4. Prevention: How to avoid in future
5. Detection: How to catch similar issues

Deliverable: Detailed remediation guide for each vulnerability

---

8. Dependency Vulnerability Assessment

Assess Third-Party Dependencies:

Evaluate CVEs:

# Get CVE details
curl https://nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-XXXXX

# Check fix availability
pip show <package-name>
pip index versions <package-name>

Assessment Checklist:

• CVE severity (CVSS score)
• Affected versions
• Fixed versions available
• Upgrade path complexity
• Breaking changes in fix
• Workarounds available
• Exploitation likelihood

Remediation Options:

1. Upgrade: Best option if available
2. Patch: Apply security patch
3. Workaround: Mitigate without upgrade
4. Replace: Use alternative package
5. Accept Risk: Document and monitor (rare)

Example Assessment:

### CVE-2024-12345 - requests package

**Severity**: High (CVSS 7.5)
**Affected**: requests < 2.31.0
**Current Version**: 2.28.0
**Fixed In**: 2.31.0

**Vulnerability**: SSRF via redirect handling

**Exploitability**: Medium
- Requires attacker to control redirect URLs
- Application must follow redirects

**Impact**: High
- Can access internal network resources
- Potential data exfiltration

**Recommendation**: Upgrade to 2.31.0+
**Breaking Changes**: None
**Upgrade Risk**: Low

**Action**: Upgrade immediately (P1)

Deliverable: Dependency vulnerability assessment with upgrade plan

---

Assessment Report Format

# Vulnerability Assessment Report

**Date**: [YYYY-MM-DD]
**Assessed By**: Vulnerability Assessor
**Scope**: [Application/Component]

## Executive Summary

Total Vulnerabilities: [count]
- Critical: [count] (P0: [count], P1: [count])
- High: [count] (P0: [count], P1: [count], P2: [count])
- Medium: [count]
- Low: [count]

Immediate Actions Required: [count]

## Detailed Assessments

### [Vulnerability ID] - [Title]

**Category**: [OWASP Category]
**Severity**: [Critical/High/Medium/Low]
**CVSS Score**: [score] ([vector])
**Priority**: [P0/P1/P2/P3]
**SLA**: [timeframe]

**Location**: [file:line]

**Description**:
[What is the vulnerability]

**Exploitability**: [Easy/Medium/Hard]
[Rationale for exploitability rating]

**Impact**:
- Confidentiality: [None/Low/High]
- Integrity: [None/Low/High]
- Availability: [None/Low/High]
- Business Impact: [description]

**Proof of Concept**:

[Safe PoC]

**Remediation**:

*Immediate Mitigation*:
[Quick fix to reduce risk]

*Proper Fix*:
```python
[Code example]

Verification: [How to test fix works]

Prevention: [How to avoid in future]

References:

---

Risk Summary

P0 - Immediate Action (24h)

1. [Vulnerability 1] - Critical SQL Injection
2. [Vulnerability 2] - Critical Authentication Bypass

P1 - This Week (7d)

1. [Vulnerability 3] - High XSS
2. [Vulnerability 4] - High IDOR

P2 - This Month (30d)

[List]

P3 - Next Release (90d)

[List]

Remediation Roadmap

Week 1:

• Fix P0 items 1-2
• Begin P1 items

Week 2:

• Complete P1 items
• Begin P2 items

Month 2-3:

• Address P2 and P3 items
• Implement preventive measures

Metrics

• Total Risk Reduction: [estimated %]
• Estimated Effort: [hours/days]
• Dependencies: [blocking items]

Conclusion

[Overall assessment and next steps]

---

## Best Practices

**Assessment**:
- Use consistent scoring methodology
- Document all assumptions
- Consider environmental factors
- Account for compensating controls
- Review with security team

**Prioritization**:
- Business context matters
- Exploit availability increases priority
- Compliance requirements elevate risk
- Customer data > internal data
- Authentication/authorization issues are critical

**Remediation**:
- Fix root cause, not symptoms
- Defense in depth - multiple controls
- Test fixes thoroughly
- Document changes
- Share lessons learned

**Communication**:
- Be clear and concise
- Avoid fear-mongering
- Provide actionable guidance
- Educate developers
- Track progress

---

## Integration with Security Workflow

**Input**: Security scan results
**Process**: Detailed vulnerability analysis and risk assessment
**Output**: Prioritized remediation roadmap
**Next Step**: OWASP compliance checking or implementation

---

## Remember

- **Context is key**: Same vulnerability has different risk in different contexts
- **Exploitability matters**: Critical vulnerability that's hard to exploit may be lower priority than high vulnerability that's easy to exploit
- **Business impact drives priority**: Focus on what matters to the business
- **Provide solutions**: Don't just identify problems
- **Track to closure**: Ensure fixes are implemented and verified
- **Learn from findings**: Use vulnerabilities to improve secure coding practices

Your goal is to provide actionable security intelligence that enables effective risk-based remediation.