Vulnerability Assessor Skill
Purpose
This skill provides deep analysis of security vulnerabilities, evaluating exploitability, assessing business impact, calculating risk scores, and providing detailed remediation strategies.
When to Use
-
After security scanning identifies vulnerabilities
-
Need to prioritize security findings
-
Assessing exploitability of vulnerabilities
-
Calculating CVSS scores
-
Creating remediation roadmaps
-
Risk assessment for security issues
Assessment Workflow
- Vulnerability Classification
Categorize by Type:
Injection Vulnerabilities:
-
SQL Injection (SQLi)
-
Command Injection
-
Code Injection
-
LDAP Injection
-
XPath Injection
-
NoSQL Injection
-
OS Command Injection
Broken Authentication:
-
Weak password policies
-
Session fixation
-
Credential stuffing vulnerabilities
-
Insecure authentication tokens
-
Missing MFA
Sensitive Data Exposure:
-
Unencrypted data in transit
-
Unencrypted data at rest
-
Exposed credentials
-
PII leakage
-
API keys in code
XML External Entities (XXE):
-
XML parsing vulnerabilities
-
External entity injection
-
DTD injection
Broken Access Control:
-
Insecure direct object references (IDOR)
-
Missing authorization checks
-
Privilege escalation
-
CORS misconfiguration
Security Misconfiguration:
-
Default credentials
-
Unnecessary features enabled
-
Error messages leaking information
-
Missing security headers
Cross-Site Scripting (XSS):
-
Reflected XSS
-
Stored XSS
-
DOM-based XSS
Insecure Deserialization:
-
Pickle in Python
-
Unsafe YAML loading
-
JSON deserialization issues
Using Components with Known Vulnerabilities:
-
Outdated dependencies
-
Unpatched libraries
-
Known CVEs
Insufficient Logging & Monitoring:
-
Missing security event logging
-
No alerting on suspicious activity
-
Inadequate audit trails
Deliverable: Categorized vulnerability list
- Exploitability Assessment
Evaluate Ease of Exploitation:
Easy (High Exploitability):
-
Publicly available exploits
-
No authentication required
-
Automated tools can exploit
-
Simple proof of concept
-
Wide attack surface
Medium Exploitability:
-
Requires some technical knowledge
-
Authentication needed but weak
-
Manual exploitation required
-
Specific conditions must be met
-
Limited attack surface
Hard (Low Exploitability):
-
Deep technical expertise required
-
Strong authentication needed
-
Complex exploitation chain
-
Rare conditions required
-
Very limited attack surface
Assessment Criteria:
-
Attack vector (Network, Adjacent, Local, Physical)
-
Attack complexity (Low, High)
-
Privileges required (None, Low, High)
-
User interaction (None, Required)
-
Available exploit code
-
Known exploitation in the wild
Deliverable: Exploitability rating for each vulnerability
- Impact Analysis
Assess Business Impact:
Confidentiality Impact:
-
None: No information disclosure
-
Low: Minimal sensitive data exposed
-
High: Significant sensitive data exposed (PII, credentials, business secrets)
Integrity Impact:
-
None: No data modification
-
Low: Limited data modification
-
High: Significant data can be modified/deleted
Availability Impact:
-
None: No service disruption
-
Low: Minimal performance degradation
-
High: Service can be completely disrupted (DoS)
Business Impact Examples:
Critical Business Impact:
-
Customer data breach
-
Financial fraud
-
Regulatory compliance violation
-
Brand reputation damage
-
Complete service outage
High Business Impact:
-
Internal data exposure
-
Service degradation
-
Limited compliance issues
-
Moderate reputation risk
Medium Business Impact:
-
Information disclosure (non-sensitive)
-
Temporary service issues
-
Minor compliance concerns
Low Business Impact:
-
Minimal data exposure
-
No service impact
-
Best practice violations
Deliverable: Impact assessment for each vulnerability
- CVSS Scoring
Calculate CVSS v3.1 Score:
Base Metrics:
Attack Vector (AV):
-
Network (N): 0.85
-
Adjacent (A): 0.62
-
Local (L): 0.55
-
Physical (P): 0.2
Attack Complexity (AC):
-
Low (L): 0.77
-
High (H): 0.44
Privileges Required (PR):
-
None (N): 0.85
-
Low (L): 0.62 (0.68 if scope changed)
-
High (H): 0.27 (0.50 if scope changed)
User Interaction (UI):
-
None (N): 0.85
-
Required (R): 0.62
Scope (S):
-
Unchanged (U)
-
Changed (C)
Confidentiality Impact (C):
-
None (N): 0.0
-
Low (L): 0.22
-
High (H): 0.56
Integrity Impact (I):
-
None (N): 0.0
-
Low (L): 0.22
-
High (H): 0.56
Availability Impact (A):
-
None (N): 0.0
-
Low (L): 0.22
-
High (H): 0.56
CVSS Score Ranges:
-
0.0: None
-
0.1-3.9: Low
-
4.0-6.9: Medium
-
7.0-8.9: High
-
9.0-10.0: Critical
Example CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Score: 9.8 (Critical)
Use CVSS Calculator:
If available, use online calculator:
https://www.first.org/cvss/calculator/3.1
Deliverable: CVSS score and vector for each vulnerability
- Risk Prioritization
Risk Matrix:
Severity Exploitability Priority SLA
Critical Easy P0 24 hours
Critical Medium P0 24 hours
Critical Hard P1 7 days
High Easy P0 24 hours
High Medium P1 7 days
High Hard P2 30 days
Medium Easy P2 30 days
Medium Medium P2 30 days
Medium Hard P3 90 days
Low Any P3 90 days
Priority Definitions:
-
P0: Emergency - Fix immediately
-
P1: Urgent - Fix this week
-
P2: Important - Fix this month
-
P3: Normal - Schedule for next release
Additional Risk Factors:
-
Publicly disclosed vulnerability
-
Active exploitation in the wild
-
Compliance requirements (PCI-DSS, HIPAA, GDPR)
-
Customer-facing systems
-
Access to sensitive data
Deliverable: Prioritized vulnerability list with SLAs
- Proof of Concept (Safe)
Demonstrate Impact (Safely):
SQL Injection Example:
Input: ' OR '1'='1 Expected: Authentication bypass or data exposure Actual: [observed behavior]
XSS Example:
Input: <script>alert('XSS')</script> Expected: Script execution Actual: [observed behavior]
Path Traversal Example:
Input: ../../etc/passwd Expected: Access to restricted files Actual: [observed behavior]
IMPORTANT:
-
Only demonstrate in test/dev environments
-
Never exploit production systems
-
Use safe payloads (alert, not actual malicious code)
-
Document all testing activity
-
Get authorization before testing
Deliverable: Safe proof of concept for high-priority vulnerabilities
- Remediation Strategies
Provide Fix Recommendations:
SQL Injection:
VULNERABLE
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
SECURE
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
Command Injection:
VULNERABLE
os.system(f"ping {user_input}")
SECURE
import subprocess subprocess.run(["ping", "-c", "1", user_input], check=True)
XSS:
// VULNERABLE element.innerHTML = userInput;
// SECURE element.textContent = userInput; // Or use DOMPurify for HTML element.innerHTML = DOMPurify.sanitize(userInput);
Weak Cryptography:
VULNERABLE
import hashlib hash = hashlib.md5(password.encode()).hexdigest()
SECURE
from passlib.hash import argon2 hash = argon2.hash(password)
Insecure Deserialization:
VULNERABLE
import pickle data = pickle.loads(user_data)
SECURE
import json data = json.loads(user_data)
Path Traversal:
VULNERABLE
with open(f"/uploads/{filename}", 'r') as f: content = f.read()
SECURE
import os safe_path = os.path.join("/uploads", os.path.basename(filename)) if not safe_path.startswith("/uploads/"): raise ValueError("Invalid path") with open(safe_path, 'r') as f: content = f.read()
Remediation Strategy Components:
-
Immediate Fix: Quick patch to mitigate
-
Proper Fix: Correct implementation
-
Verification: How to test the fix
-
Prevention: How to avoid in future
-
Detection: How to catch similar issues
Deliverable: Detailed remediation guide for each vulnerability
- Dependency Vulnerability Assessment
Assess Third-Party Dependencies:
Evaluate CVEs:
Get CVE details
curl https://nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-XXXXX
Check fix availability
pip show <package-name> pip index versions <package-name>
Assessment Checklist:
-
CVE severity (CVSS score)
-
Affected versions
-
Fixed versions available
-
Upgrade path complexity
-
Breaking changes in fix
-
Workarounds available
-
Exploitation likelihood
Remediation Options:
-
Upgrade: Best option if available
-
Patch: Apply security patch
-
Workaround: Mitigate without upgrade
-
Replace: Use alternative package
-
Accept Risk: Document and monitor (rare)
Example Assessment:
CVE-2024-12345 - requests package
Severity: High (CVSS 7.5) Affected: requests < 2.31.0 Current Version: 2.28.0 Fixed In: 2.31.0
Vulnerability: SSRF via redirect handling
Exploitability: Medium
- Requires attacker to control redirect URLs
- Application must follow redirects
Impact: High
- Can access internal network resources
- Potential data exfiltration
Recommendation: Upgrade to 2.31.0+ Breaking Changes: None Upgrade Risk: Low
Action: Upgrade immediately (P1)
Deliverable: Dependency vulnerability assessment with upgrade plan
Assessment Report Format
Vulnerability Assessment Report
Date: [YYYY-MM-DD] Assessed By: Vulnerability Assessor Scope: [Application/Component]
Executive Summary
Total Vulnerabilities: [count]
- Critical: [count] (P0: [count], P1: [count])
- High: [count] (P0: [count], P1: [count], P2: [count])
- Medium: [count]
- Low: [count]
Immediate Actions Required: [count]
Detailed Assessments
[Vulnerability ID] - [Title]
Category: [OWASP Category] Severity: [Critical/High/Medium/Low] CVSS Score: [score] ([vector]) Priority: [P0/P1/P2/P3] SLA: [timeframe]
Location: [file:line]
Description: [What is the vulnerability]
Exploitability: [Easy/Medium/Hard] [Rationale for exploitability rating]
Impact:
- Confidentiality: [None/Low/High]
- Integrity: [None/Low/High]
- Availability: [None/Low/High]
- Business Impact: [description]
Proof of Concept:
[Safe PoC]
Remediation:
Immediate Mitigation: [Quick fix to reduce risk]
Proper Fix:
[Code example]
Verification:
[How to test fix works]
Prevention:
[How to avoid in future]
References:
-
-
-
Risk Summary
P0 - Immediate Action (24h)
- [Vulnerability 1] - Critical SQL Injection
- [Vulnerability 2] - Critical Authentication Bypass
P1 - This Week (7d)
- [Vulnerability 3] - High XSS
- [Vulnerability 4] - High IDOR
P2 - This Month (30d)
[List]
P3 - Next Release (90d)
[List]
Remediation Roadmap
Week 1:
- Fix P0 items 1-2
- Begin P1 items
Week 2:
- Complete P1 items
- Begin P2 items
Month 2-3:
- Address P2 and P3 items
- Implement preventive measures
Metrics
- Total Risk Reduction: [estimated %]
- Estimated Effort: [hours/days]
- Dependencies: [blocking items]
Conclusion
[Overall assessment and next steps]
---
## Best Practices
**Assessment**:
- Use consistent scoring methodology
- Document all assumptions
- Consider environmental factors
- Account for compensating controls
- Review with security team
**Prioritization**:
- Business context matters
- Exploit availability increases priority
- Compliance requirements elevate risk
- Customer data > internal data
- Authentication/authorization issues are critical
**Remediation**:
- Fix root cause, not symptoms
- Defense in depth - multiple controls
- Test fixes thoroughly
- Document changes
- Share lessons learned
**Communication**:
- Be clear and concise
- Avoid fear-mongering
- Provide actionable guidance
- Educate developers
- Track progress
---
## Integration with Security Workflow
**Input**: Security scan results
**Process**: Detailed vulnerability analysis and risk assessment
**Output**: Prioritized remediation roadmap
**Next Step**: OWASP compliance checking or implementation
---
## Remember
- **Context is key**: Same vulnerability has different risk in different contexts
- **Exploitability matters**: Critical vulnerability that's hard to exploit may be lower priority than high vulnerability that's easy to exploit
- **Business impact drives priority**: Focus on what matters to the business
- **Provide solutions**: Don't just identify problems
- **Track to closure**: Ensure fixes are implemented and verified
- **Learn from findings**: Use vulnerabilities to improve secure coding practices
Your goal is to provide actionable security intelligence that enables effective risk-based remediation.