---
name: vulnerability-assessor
description: Assess identified vulnerabilities for exploitability, impact, and risk.
  Provide CVSS scoring and remediation strategies. Use when analyzing security findings.
allowed-tools: Read, Grep, Glob, Bash
---

# Vulnerability Assessor Skill

## Purpose

This skill provides deep analysis of security vulnerabilities, evaluating exploitability, assessing business impact, calculating risk scores, and providing detailed remediation strategies.

## When to Use

- After security scanning identifies vulnerabilities
- Need to prioritize security findings
- Assessing exploitability of vulnerabilities
- Calculating CVSS scores
- Creating remediation roadmaps
- Risk assessment for security issues

## Assessment Workflow

### 1. Vulnerability Classification

**Categorize by Type:**

**Injection Vulnerabilities:**
- SQL Injection (SQLi)
- Command Injection
- Code Injection
- LDAP Injection
- XPath Injection
- NoSQL Injection
- OS Command Injection

**Broken Authentication:**
- Weak password policies
- Session fixation
- Credential stuffing vulnerabilities
- Insecure authentication tokens
- Missing MFA

**Sensitive Data Exposure:**
- Unencrypted data in transit
- Unencrypted data at rest
- Exposed credentials
- PII leakage
- API keys in code

**XML External Entities (XXE):**
- XML parsing vulnerabilities
- External entity injection
- DTD injection

**Broken Access Control:**
- Insecure direct object references (IDOR)
- Missing authorization checks
- Privilege escalation
- CORS misconfiguration

**Security Misconfiguration:**
- Default credentials
- Unnecessary features enabled
- Error messages leaking information
- Missing security headers

**Cross-Site Scripting (XSS):**
- Reflected XSS
- Stored XSS
- DOM-based XSS

**Insecure Deserialization:**
- Pickle in Python
- Unsafe YAML loading
- JSON deserialization issues

**Using Components with Known Vulnerabilities:**
- Outdated dependencies
- Unpatched libraries
- Known CVEs

**Insufficient Logging & Monitoring:**
- Missing security event logging
- No alerting on suspicious activity
- Inadequate audit trails

**Deliverable:** Categorized vulnerability list

---

### 2. Exploitability Assessment

**Evaluate Ease of Exploitation:**

**Easy (High Exploitability):**
- Publicly available exploits
- No authentication required
- Automated tools can exploit
- Simple proof of concept
- Wide attack surface

**Medium Exploitability:**
- Requires some technical knowledge
- Authentication needed but weak
- Manual exploitation required
- Specific conditions must be met
- Limited attack surface

**Hard (Low Exploitability):**
- Deep technical expertise required
- Strong authentication needed
- Complex exploitation chain
- Rare conditions required
- Very limited attack surface

**Assessment Criteria:**
- Attack vector (Network, Adjacent, Local, Physical)
- Attack complexity (Low, High)
- Privileges required (None, Low, High)
- User interaction (None, Required)
- Available exploit code
- Known exploitation in the wild

**Deliverable:** Exploitability rating for each vulnerability

---

### 3. Impact Analysis

**Assess Business Impact:**

**Confidentiality Impact:**
- None: No information disclosure
- Low: Minimal sensitive data exposed
- High: Significant sensitive data exposed (PII, credentials, business secrets)

**Integrity Impact:**
- None: No data modification
- Low: Limited data modification
- High: Significant data can be modified/deleted

**Availability Impact:**
- None: No service disruption
- Low: Minimal performance degradation
- High: Service can be completely disrupted (DoS)

**Business Impact Examples:**

**Critical Business Impact:**
- Customer data breach
- Financial fraud
- Regulatory compliance violation
- Brand reputation damage
- Complete service outage

**High Business Impact:**
- Internal data exposure
- Service degradation
- Limited compliance issues
- Moderate reputation risk

**Medium Business Impact:**
- Information disclosure (non-sensitive)
- Temporary service issues
- Minor compliance concerns

**Low Business Impact:**
- Minimal data exposure
- No service impact
- Best practice violations

**Deliverable:** Impact assessment for each vulnerability

---

### 4. CVSS Scoring

**Calculate CVSS v3.1 Score:**

**Base Metrics:**

1. **Attack Vector (AV)**:
   - Network (N): 0.85
   - Adjacent (A): 0.62
   - Local (L): 0.55
   - Physical (P): 0.2

2. **Attack Complexity (AC)**:
   - Low (L): 0.77
   - High (H): 0.44

3. **Privileges Required (PR)**:
   - None (N): 0.85
   - Low (L): 0.62 (0.68 if scope changed)
   - High (H): 0.27 (0.50 if scope changed)

4. **User Interaction (UI)**:
   - None (N): 0.85
   - Required (R): 0.62

5. **Scope (S)**:
   - Unchanged (U)
   - Changed (C)

6. **Confidentiality Impact (C)**:
   - None (N): 0.0
   - Low (L): 0.22
   - High (H): 0.56

7. **Integrity Impact (I)**:
   - None (N): 0.0
   - Low (L): 0.22
   - High (H): 0.56

8. **Availability Impact (A)**:
   - None (N): 0.0
   - Low (L): 0.22
   - High (H): 0.56

**CVSS Score Ranges:**
- 0.0: None
- 0.1-3.9: Low
- 4.0-6.9: Medium
- 7.0-8.9: High
- 9.0-10.0: Critical

**Example CVSS Vector:**
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score: 9.8 (Critical)
```

**Use CVSS Calculator:**
```bash
# If available, use online calculator:
# https://www.first.org/cvss/calculator/3.1
```

**Deliverable:** CVSS score and vector for each vulnerability

---

### 5. Risk Prioritization

**Risk Matrix:**

| Severity | Exploitability | Priority | SLA |
|----------|---------------|----------|-----|
| Critical | Easy | P0 | 24 hours |
| Critical | Medium | P0 | 24 hours |
| Critical | Hard | P1 | 7 days |
| High | Easy | P0 | 24 hours |
| High | Medium | P1 | 7 days |
| High | Hard | P2 | 30 days |
| Medium | Easy | P2 | 30 days |
| Medium | Medium | P2 | 30 days |
| Medium | Hard | P3 | 90 days |
| Low | Any | P3 | 90 days |

**Priority Definitions:**
- **P0**: Emergency - Fix immediately
- **P1**: Urgent - Fix this week
- **P2**: Important - Fix this month
- **P3**: Normal - Schedule for next release

**Additional Risk Factors:**
- Publicly disclosed vulnerability
- Active exploitation in the wild
- Compliance requirements (PCI-DSS, HIPAA, GDPR)
- Customer-facing systems
- Access to sensitive data

**Deliverable:** Prioritized vulnerability list with SLAs

---

### 6. Proof of Concept (Safe)

**Demonstrate Impact (Safely):**

**SQL Injection Example:**
```
Input: ' OR '1'='1
Expected: Authentication bypass or data exposure
Actual: [observed behavior]
```

**XSS Example:**
```
Input: <script>alert('XSS')</script>
Expected: Script execution
Actual: [observed behavior]
```

**Path Traversal Example:**
```
Input: ../../etc/passwd
Expected: Access to restricted files
Actual: [observed behavior]
```

**IMPORTANT:**
- Only demonstrate in test/dev environments
- Never exploit production systems
- Use safe payloads (alert, not actual malicious code)
- Document all testing activity
- Get authorization before testing

**Deliverable:** Safe proof of concept for high-priority vulnerabilities

---

### 7. Remediation Strategies

**Provide Fix Recommendations:**

**SQL Injection:**
```python
# VULNERABLE
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# SECURE
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
```

**Command Injection:**
```python
# VULNERABLE
os.system(f"ping {user_input}")

# SECURE
import subprocess
subprocess.run(["ping", "-c", "1", user_input], check=True)
```

**XSS:**
```javascript
// VULNERABLE
element.innerHTML = userInput;

// SECURE
element.textContent = userInput;
// Or use DOMPurify for HTML
element.innerHTML = DOMPurify.sanitize(userInput);
```

**Weak Cryptography:**
```python
# VULNERABLE
import hashlib
hash = hashlib.md5(password.encode()).hexdigest()

# SECURE
from passlib.hash import argon2
hash = argon2.hash(password)
```

**Insecure Deserialization:**
```python
# VULNERABLE
import pickle
data = pickle.loads(user_data)

# SECURE
import json
data = json.loads(user_data)
```

**Path Traversal:**
```python
# VULNERABLE
with open(f"/uploads/{filename}", 'r') as f:
    content = f.read()

# SECURE
import os
safe_path = os.path.join("/uploads", os.path.basename(filename))
if not safe_path.startswith("/uploads/"):
    raise ValueError("Invalid path")
with open(safe_path, 'r') as f:
    content = f.read()
```

**Remediation Strategy Components:**
1. **Immediate Fix**: Quick patch to mitigate
2. **Proper Fix**: Correct implementation
3. **Verification**: How to test the fix
4. **Prevention**: How to avoid in future
5. **Detection**: How to catch similar issues

**Deliverable:** Detailed remediation guide for each vulnerability

---

### 8. Dependency Vulnerability Assessment

**Assess Third-Party Dependencies:**

**Evaluate CVEs:**
```bash
# Get CVE details
curl https://nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-XXXXX

# Check fix availability
pip show <package-name>
pip index versions <package-name>
```

**Assessment Checklist:**
- [ ] CVE severity (CVSS score)
- [ ] Affected versions
- [ ] Fixed versions available
- [ ] Upgrade path complexity
- [ ] Breaking changes in fix
- [ ] Workarounds available
- [ ] Exploitation likelihood

**Remediation Options:**
1. **Upgrade**: Best option if available
2. **Patch**: Apply security patch
3. **Workaround**: Mitigate without upgrade
4. **Replace**: Use alternative package
5. **Accept Risk**: Document and monitor (rare)

**Example Assessment:**

```markdown
### CVE-2024-12345 - requests package

**Severity**: High (CVSS 7.5)
**Affected**: requests < 2.31.0
**Current Version**: 2.28.0
**Fixed In**: 2.31.0

**Vulnerability**: SSRF via redirect handling

**Exploitability**: Medium
- Requires attacker to control redirect URLs
- Application must follow redirects

**Impact**: High
- Can access internal network resources
- Potential data exfiltration

**Recommendation**: Upgrade to 2.31.0+
**Breaking Changes**: None
**Upgrade Risk**: Low

**Action**: Upgrade immediately (P1)
```

**Deliverable:** Dependency vulnerability assessment with upgrade plan

---

## Assessment Report Format

```markdown
# Vulnerability Assessment Report

**Date**: [YYYY-MM-DD]
**Assessed By**: Vulnerability Assessor
**Scope**: [Application/Component]

## Executive Summary

Total Vulnerabilities: [count]
- Critical: [count] (P0: [count], P1: [count])
- High: [count] (P0: [count], P1: [count], P2: [count])
- Medium: [count]
- Low: [count]

Immediate Actions Required: [count]

## Detailed Assessments

### [Vulnerability ID] - [Title]

**Category**: [OWASP Category]
**Severity**: [Critical/High/Medium/Low]
**CVSS Score**: [score] ([vector])
**Priority**: [P0/P1/P2/P3]
**SLA**: [timeframe]

**Location**: [file:line]

**Description**:
[What is the vulnerability]

**Exploitability**: [Easy/Medium/Hard]
[Rationale for exploitability rating]

**Impact**:
- Confidentiality: [None/Low/High]
- Integrity: [None/Low/High]
- Availability: [None/Low/High]
- Business Impact: [description]

**Proof of Concept**:
```
[Safe PoC]
```

**Remediation**:

*Immediate Mitigation*:
[Quick fix to reduce risk]

*Proper Fix*:
```python
[Code example]
```

*Verification*:
[How to test fix works]

*Prevention*:
[How to avoid in future]

**References**:
- [CWE-XXX]: [link]
- [CVE-YYYY-XXXXX]: [link]
- [Documentation]: [link]

---

## Risk Summary

### P0 - Immediate Action (24h)
1. [Vulnerability 1] - Critical SQL Injection
2. [Vulnerability 2] - Critical Authentication Bypass

### P1 - This Week (7d)
1. [Vulnerability 3] - High XSS
2. [Vulnerability 4] - High IDOR

### P2 - This Month (30d)
[List]

### P3 - Next Release (90d)
[List]

## Remediation Roadmap

**Week 1**:
- Fix P0 items 1-2
- Begin P1 items

**Week 2**:
- Complete P1 items
- Begin P2 items

**Month 2-3**:
- Address P2 and P3 items
- Implement preventive measures

## Metrics

- **Total Risk Reduction**: [estimated %]
- **Estimated Effort**: [hours/days]
- **Dependencies**: [blocking items]

## Conclusion

[Overall assessment and next steps]
```

---

## Best Practices

**Assessment**:
- Use consistent scoring methodology
- Document all assumptions
- Consider environmental factors
- Account for compensating controls
- Review with security team

**Prioritization**:
- Business context matters
- Exploit availability increases priority
- Compliance requirements elevate risk
- Customer data > internal data
- Authentication/authorization issues are critical

**Remediation**:
- Fix root cause, not symptoms
- Defense in depth - multiple controls
- Test fixes thoroughly
- Document changes
- Share lessons learned

**Communication**:
- Be clear and concise
- Avoid fear-mongering
- Provide actionable guidance
- Educate developers
- Track progress

---

## Integration with Security Workflow

**Input**: Security scan results
**Process**: Detailed vulnerability analysis and risk assessment
**Output**: Prioritized remediation roadmap
**Next Step**: OWASP compliance checking or implementation

---

## Remember

- **Context is key**: Same vulnerability has different risk in different contexts
- **Exploitability matters**: Critical vulnerability that's hard to exploit may be lower priority than high vulnerability that's easy to exploit
- **Business impact drives priority**: Focus on what matters to the business
- **Provide solutions**: Don't just identify problems
- **Track to closure**: Ensure fixes are implemented and verified
- **Learn from findings**: Use vulnerabilities to improve secure coding practices

Your goal is to provide actionable security intelligence that enables effective risk-based remediation.