name: vulnerability-assessor
description: Assess identified vulnerabilities for exploitability, impact, and risk.
Provide CVSS scoring and remediation strategies. Use when analyzing security findings.
allowed-tools: Read, Grep, Glob, Bash

Vulnerability Assessor Skill

Purpose

This skill provides deep analysis of security vulnerabilities, evaluating exploitability, assessing business impact, calculating risk scores, and providing detailed remediation strategies.

When to Use

• After security scanning identifies vulnerabilities
• Need to prioritize security findings
• Assessing exploitability of vulnerabilities
• Calculating CVSS scores
• Creating remediation roadmaps
• Risk assessment for security issues

Assessment Workflow

1. Vulnerability Classification

Categorize by Type:

Injection Vulnerabilities:
- SQL Injection (SQLi)
- Command Injection
- Code Injection
- LDAP Injection
- XPath Injection
- NoSQL Injection
- OS Command Injection

Broken Authentication:
- Weak password policies
- Session fixation
- Credential stuffing vulnerabilities
- Insecure authentication tokens
- Missing MFA

Sensitive Data Exposure:
- Unencrypted data in transit
- Unencrypted data at rest
- Exposed credentials
- PII leakage
- API keys in code

XML External Entities (XXE):
- XML parsing vulnerabilities
- External entity injection
- DTD injection

Broken Access Control:
- Insecure direct object references (IDOR)
- Missing authorization checks
- Privilege escalation
- CORS misconfiguration

Security Misconfiguration:
- Default credentials
- Unnecessary features enabled
- Error messages leaking information
- Missing security headers

Cross-Site Scripting (XSS):
- Reflected XSS
- Stored XSS
- DOM-based XSS

Insecure Deserialization:
- Pickle in Python
- Unsafe YAML loading
- JSON deserialization issues

Using Components with Known Vulnerabilities:
- Outdated dependencies
- Unpatched libraries
- Known CVEs

Insufficient Logging & Monitoring:
- Missing security event logging
- No alerting on suspicious activity
- Inadequate audit trails

Deliverable: Categorized vulnerability list

2. Exploitability Assessment

Evaluate Ease of Exploitation:

Easy (High Exploitability):
- Publicly available exploits
- No authentication required
- Automated tools can exploit
- Simple proof of concept
- Wide attack surface

Medium Exploitability:
- Requires some technical knowledge
- Authentication needed but weak
- Manual exploitation required
- Specific conditions must be met
- Limited attack surface

Hard (Low Exploitability):
- Deep technical expertise required
- Strong authentication needed
- Complex exploitation chain
- Rare conditions required
- Very limited attack surface

Assessment Criteria:
- Attack vector (Network, Adjacent, Local, Physical)
- Attack complexity (Low, High)
- Privileges required (None, Low, High)
- User interaction (None, Required)
- Available exploit code
- Known exploitation in the wild

Deliverable: Exploitability rating for each vulnerability

3. Impact Analysis

Assess Business Impact:

Confidentiality Impact:
- None: No information disclosure
- Low: Minimal sensitive data exposed
- High: Significant sensitive data exposed (PII, credentials, business secrets)

Integrity Impact:
- None: No data modification
- Low: Limited data modification
- High: Significant data can be modified/deleted

Availability Impact:
- None: No service disruption
- Low: Minimal performance degradation
- High: Service can be completely disrupted (DoS)

Business Impact Examples:

Critical Business Impact:
- Customer data breach
- Financial fraud
- Regulatory compliance violation
- Brand reputation damage
- Complete service outage

High Business Impact:
- Internal data exposure
- Service degradation
- Limited compliance issues
- Moderate reputation risk

Medium Business Impact:
- Information disclosure (non-sensitive)
- Temporary service issues
- Minor compliance concerns

Low Business Impact:
- Minimal data exposure
- No service impact
- Best practice violations

Deliverable: Impact assessment for each vulnerability

4. CVSS Scoring

Calculate CVSS v3.1 Score:

Base Metrics:

1. Attack Vector (AV):
2. Network (N): 0.85
3. Adjacent (A): 0.62
4. Local (L): 0.55

5. Physical (P): 0.2

6. Attack Complexity (AC):

7. Low (L): 0.77

8. High (H): 0.44

9. Privileges Required (PR):

10. None (N): 0.85
11. Low (L): 0.62 (0.68 if scope changed)

12. High (H): 0.27 (0.50 if scope changed)

13. User Interaction (UI):

14. None (N): 0.85

15. Required (R): 0.62

16. Scope (S):

17. Unchanged (U)

18. Changed (C)

19. Confidentiality Impact (C):

20. None (N): 0.0
21. Low (L): 0.22

22. High (H): 0.56

23. Integrity Impact (I):

24. None (N): 0.0
25. Low (L): 0.22

26. High (H): 0.56

27. Availability Impact (A):

28. None (N): 0.0
29. Low (L): 0.22
30. High (H): 0.56

CVSS Score Ranges:
- 0.0: None
- 0.1-3.9: Low
- 4.0-6.9: Medium
- 7.0-8.9: High
- 9.0-10.0: Critical

Example CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score: 9.8 (Critical)

Use CVSS Calculator:

# If available, use online calculator:
# https://www.first.org/cvss/calculator/3.1

Deliverable: CVSS score and vector for each vulnerability

5. Risk Prioritization

Risk Matrix:

Priority Definitions:
- P0: Emergency - Fix immediately
- P1: Urgent - Fix this week
- P2: Important - Fix this month
- P3: Normal - Schedule for next release

Additional Risk Factors:
- Publicly disclosed vulnerability
- Active exploitation in the wild
- Compliance requirements (PCI-DSS, HIPAA, GDPR)
- Customer-facing systems
- Access to sensitive data

Deliverable: Prioritized vulnerability list with SLAs

6. Proof of Concept (Safe)

Demonstrate Impact (Safely):

SQL Injection Example:

Input: ' OR '1'='1
Expected: Authentication bypass or data exposure
Actual: [observed behavior]

XSS Example:

Input: <script>alert('XSS')</script>
Expected: Script execution
Actual: [observed behavior]

Path Traversal Example:

Input: ../../etc/passwd
Expected: Access to restricted files
Actual: [observed behavior]

IMPORTANT:
- Only demonstrate in test/dev environments
- Never exploit production systems
- Use safe payloads (alert, not actual malicious code)
- Document all testing activity
- Get authorization before testing

Deliverable: Safe proof of concept for high-priority vulnerabilities

7. Remediation Strategies

Provide Fix Recommendations:

SQL Injection:

# VULNERABLE
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# SECURE
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

Command Injection:

# VULNERABLE
os.system(f"ping {user_input}")

# SECURE
import subprocess
subprocess.run(["ping", "-c", "1", user_input], check=True)

XSS:

// VULNERABLE
element.innerHTML = userInput;

// SECURE
element.textContent = userInput;
// Or use DOMPurify for HTML
element.innerHTML = DOMPurify.sanitize(userInput);

Weak Cryptography:

# VULNERABLE
import hashlib
hash = hashlib.md5(password.encode()).hexdigest()

# SECURE
from passlib.hash import argon2
hash = argon2.hash(password)

Insecure Deserialization:

# VULNERABLE
import pickle
data = pickle.loads(user_data)

# SECURE
import json
data = json.loads(user_data)

Path Traversal:

# VULNERABLE
with open(f"/uploads/{filename}", 'r') as f:
    content = f.read()

# SECURE
import os
safe_path = os.path.join("/uploads", os.path.basename(filename))
if not safe_path.startswith("/uploads/"):
    raise ValueError("Invalid path")
with open(safe_path, 'r') as f:
    content = f.read()

Remediation Strategy Components:
1. Immediate Fix: Quick patch to mitigate
2. Proper Fix: Correct implementation
3. Verification: How to test the fix
4. Prevention: How to avoid in future
5. Detection: How to catch similar issues

Deliverable: Detailed remediation guide for each vulnerability

8. Dependency Vulnerability Assessment

Assess Third-Party Dependencies:

Evaluate CVEs:

# Get CVE details
curl https://nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-XXXXX

# Check fix availability
pip show <package-name>
pip index versions <package-name>

Assessment Checklist:
- [ ] CVE severity (CVSS score)
- [ ] Affected versions
- [ ] Fixed versions available
- [ ] Upgrade path complexity
- [ ] Breaking changes in fix
- [ ] Workarounds available
- [ ] Exploitation likelihood

Remediation Options:
1. Upgrade: Best option if available
2. Patch: Apply security patch
3. Workaround: Mitigate without upgrade
4. Replace: Use alternative package
5. Accept Risk: Document and monitor (rare)

Example Assessment:

### CVE-2024-12345 - requests package

**Severity**: High (CVSS 7.5)
**Affected**: requests < 2.31.0
**Current Version**: 2.28.0
**Fixed In**: 2.31.0

**Vulnerability**: SSRF via redirect handling

**Exploitability**: Medium
- Requires attacker to control redirect URLs
- Application must follow redirects

**Impact**: High
- Can access internal network resources
- Potential data exfiltration

**Recommendation**: Upgrade to 2.31.0+
**Breaking Changes**: None
**Upgrade Risk**: Low

**Action**: Upgrade immediately (P1)

Deliverable: Dependency vulnerability assessment with upgrade plan

Assessment Report Format

# Vulnerability Assessment Report

**Date**: [YYYY-MM-DD]
**Assessed By**: Vulnerability Assessor
**Scope**: [Application/Component]

## Executive Summary

Total Vulnerabilities: [count]
- Critical: [count] (P0: [count], P1: [count])
- High: [count] (P0: [count], P1: [count], P2: [count])
- Medium: [count]
- Low: [count]

Immediate Actions Required: [count]

## Detailed Assessments

### [Vulnerability ID] - [Title]

**Category**: [OWASP Category]
**Severity**: [Critical/High/Medium/Low]
**CVSS Score**: [score] ([vector])
**Priority**: [P0/P1/P2/P3]
**SLA**: [timeframe]

**Location**: [file:line]

**Description**:
[What is the vulnerability]

**Exploitability**: [Easy/Medium/Hard]
[Rationale for exploitability rating]

**Impact**:
- Confidentiality: [None/Low/High]
- Integrity: [None/Low/High]
- Availability: [None/Low/High]
- Business Impact: [description]

**Proof of Concept**:

[Safe PoC]

**Remediation**:

*Immediate Mitigation*:
[Quick fix to reduce risk]

*Proper Fix*:
```python
[Code example]

Verification:
[How to test fix works]

Prevention:
[How to avoid in future]

References:
- [CWE-XXX]: [link]
- [CVE-YYYY-XXXXX]: [link]
- [Documentation]: [link]

Risk Summary

P0 - Immediate Action (24h)

1. [Vulnerability 1] - Critical SQL Injection
2. [Vulnerability 2] - Critical Authentication Bypass

P1 - This Week (7d)

1. [Vulnerability 3] - High XSS
2. [Vulnerability 4] - High IDOR

P2 - This Month (30d)

[List]

P3 - Next Release (90d)

[List]

Remediation Roadmap

Week 1:
- Fix P0 items 1-2
- Begin P1 items

Week 2:
- Complete P1 items
- Begin P2 items

Month 2-3:
- Address P2 and P3 items
- Implement preventive measures

Metrics

• Total Risk Reduction: [estimated %]
• Estimated Effort: [hours/days]
• Dependencies: [blocking items]

Conclusion

[Overall assessment and next steps]
```

Best Practices

Assessment:
- Use consistent scoring methodology
- Document all assumptions
- Consider environmental factors
- Account for compensating controls
- Review with security team

Prioritization:
- Business context matters
- Exploit availability increases priority
- Compliance requirements elevate risk
- Customer data > internal data
- Authentication/authorization issues are critical

Remediation:
- Fix root cause, not symptoms
- Defense in depth - multiple controls
- Test fixes thoroughly
- Document changes
- Share lessons learned

Communication:
- Be clear and concise
- Avoid fear-mongering
- Provide actionable guidance
- Educate developers
- Track progress

Integration with Security Workflow

Input: Security scan results
Process: Detailed vulnerability analysis and risk assessment
Output: Prioritized remediation roadmap
Next Step: OWASP compliance checking or implementation

Remember

• Context is key: Same vulnerability has different risk in different contexts
• Exploitability matters: Critical vulnerability that's hard to exploit may be lower priority than high vulnerability that's easy to exploit
• Business impact drives priority: Focus on what matters to the business
• Provide solutions: Don't just identify problems
• Track to closure: Ensure fixes are implemented and verified
• Learn from findings: Use vulnerabilities to improve secure coding practices

Your goal is to provide actionable security intelligence that enables effective risk-based remediation.