CVSS Scoring System
CVSS Scoring System
The following files were used as context for generating this wiki page:
Purpose and Scope
This document explains how WSHawk implements CVSS v3.1 (Common Vulnerability Scoring System) scoring for standardized vulnerability risk assessment. CVSS scoring is applied to all findings from both offensive testing (vulnerability detection) and defensive validation (security control testing).
For information about specific vulnerability detection modules, see Vulnerability Detection Modules. For defensive validation tests, see Defensive Validation. For report format details, see Report Format and Output.
CVSS v3.1 Overview
WSHawk uses CVSS v3.1 to provide industry-standard severity ratings for all security findings. Each vulnerability or security control failure is assigned a numerical score from 0.0 to 10.0, which is then mapped to a severity level.
Key Characteristics
| Attribute | Value | |-----------|-------| | Standard Version | CVSS v3.1 | | Score Range | 0.0 - 10.0 | | Precision | One decimal place (e.g., 7.5, 9.1) | | Severity Levels | INFO, LOW, MEDIUM, HIGH, CRITICAL | | Application Scope | Offensive testing + Defensive validation |
Sources: README.md:18-29, README.md:109-117, CHANGELOG.md:27
Severity Level Mapping
WSHawk maps CVSS scores to five severity levels following industry-standard ranges:
graph LR
subgraph "CVSS Score Ranges"
Score0["0.0"] --> Info["INFO<br/>No vulnerability"]
Score1["0.1-3.9"] --> Low["LOW<br/>Minor impact"]
Score4["4.0-6.9"] --> Medium["MEDIUM<br/>Moderate impact"]
Score7["7.0-8.9"] --> High["HIGH<br/>Serious impact"]
Score9["9.0-10.0"] --> Critical["CRITICAL<br/>Severe impact"]
end
style Info fill:#fff
style Low fill:#fff
style Medium fill:#fff
style High fill:#fff
style Critical fill:#fff
Severity Level Definitions
| Severity | Score Range | Description | Action Priority | |----------|-------------|-------------|-----------------| | CRITICAL | 9.0 - 10.0 | Severe vulnerabilities requiring immediate remediation | Immediate | | HIGH | 7.0 - 8.9 | Serious security issues requiring urgent attention | Urgent | | MEDIUM | 4.0 - 6.9 | Moderate vulnerabilities requiring timely fixes | Scheduled | | LOW | 0.1 - 3.9 | Minor issues with limited impact | Optional | | INFO | 0.0 | Informational findings, no vulnerability present | None |
Sources: wshawk/defensive_validation.py:35-46, wshawk/wss_security_validator.py:75-88
Finding Data Structure
Each security finding in WSHawk includes CVSS scoring as part of a standardized structure:
graph TB
subgraph "Finding Object Structure"
Finding["Finding Dictionary"]
Finding --> Test["test: str<br/>Test name identifier"]
Finding --> Vulnerable["vulnerable: bool<br/>True if issue found"]
Finding --> Severity["severity: str<br/>CRITICAL/HIGH/MEDIUM/LOW/INFO"]
Finding --> Description["description: str<br/>Issue description"]
Finding --> Recommendation["recommendation: str<br/>Remediation guidance"]
Finding --> CVSS["cvss: float<br/>CVSS v3.1 score (0.0-10.0)"]
Finding --> Timestamp["timestamp: float<br/>Unix timestamp"]
Finding --> Details["details: Dict (optional)<br/>Additional metadata"]
end
style Finding fill:#fff
style CVSS fill:#fff
Example Finding Structure
{
'test': 'CSWSH - Origin Header Validation',
'vulnerable': True,
'severity': 'CRITICAL',
'description': 'Server accepts WebSocket connections from untrusted origins',
'recommendation': 'Implement Origin header validation immediately',
'cvss': 9.1,
'timestamp': 1702345678.90,
'details': {'vulnerable_origins': ['https://evil.com', 'null']}
}
Sources: wshawk/defensive_validation.py:35-46, wshawk/wss_security_validator.py:75-88
CVSS Score Assignment Flow
The following diagram shows how CVSS scores are assigned during vulnerability detection and defensive validation:
flowchart TB
subgraph "Offensive Testing Path"
VulnTest["Vulnerability Test<br/>SQL/XSS/XXE/SSRF/etc"]
VulnDetect["Vulnerability Detected"]
VulnType["Determine Vulnerability Type"]
OffensiveScore["Assign CVSS Score<br/>Based on vulnerability category"]
end
subgraph "Defensive Validation Path"
DefTest["Defensive Test<br/>DNS/Bot/CSWSH/WSS"]
DefResult["Security Control Result"]
DefImpact["Assess Impact<br/>Control failure severity"]
DefensiveScore["Assign CVSS Score<br/>Based on control type"]
end
subgraph "Common Scoring Pipeline"
AddFinding["add_finding() method"]
FindingStore["findings[] list"]
Report["HTML Report Generation"]
end
VulnTest --> VulnDetect
VulnDetect --> VulnType
VulnType --> OffensiveScore
OffensiveScore --> AddFinding
DefTest --> DefResult
DefResult --> DefImpact
DefImpact --> DefensiveScore
DefensiveScore --> AddFinding
AddFinding --> FindingStore
FindingStore --> Report
style AddFinding fill:#fff
style Report fill:#fff
Sources: wshawk/defensive_validation.py:27-46, wshawk/wss_security_validator.py:75-88
Defensive Validation CVSS Scores
WSHawk's defensive validation modules assign CVSS scores based on the security control being tested:
DNS Exfiltration Prevention Test
| Test Case | Vulnerable Status | Severity | CVSS Score | |-----------|------------------|----------|------------| | XXE-based DNS exfiltration | Control fails | HIGH | 7.5 | | SSRF-based DNS exfiltration | Control fails | HIGH | 8.2 | | DNS egress filtering | Control works | INFO | 0.0 |
# Example from DNSExfiltrationTest
self.add_finding(
test_name="DNS Exfiltration Prevention",
vulnerable=True,
severity="HIGH",
description=f"DNS-based data exfiltration is possible",
recommendation="Implement DNS egress filtering",
cvss=7.5
)
Sources: wshawk/defensive_validation.py:106-116, wshawk/defensive_validation.py:154-162
Bot Detection Validation Test
| Test Case | Vulnerable Status | Severity | CVSS Score | |-----------|------------------|----------|------------| | Basic headless detection fails | Bot not detected | MEDIUM | 5.3 | | Evasion resistance fails | Bot evades detection | HIGH | 7.8 | | Bot successfully detected | Control works | INFO | 0.0 |
Sources: wshawk/defensive_validation.py:252-260, wshawk/defensive_validation.py:320-328
CSWSH (Cross-Site WebSocket Hijacking) Test
| Test Case | Vulnerable Status | Severity | CVSS Score | |-----------|------------------|----------|------------| | Origin header not validated | Accepts malicious origins | CRITICAL | 9.1 | | CSRF token not required | Missing CSRF protection | HIGH | 7.5 | | Origin validation enforced | Control works | INFO | 0.0 |
Sources: wshawk/defensive_validation.py:409-418, wshawk/defensive_validation.py:445-453
WSS Protocol Security Validation
| Test Case | Vulnerable Status | Severity | CVSS Score | |-----------|------------------|----------|------------| | Deprecated TLS versions supported | TLS 1.0/1.1/SSLv3 enabled | CRITICAL | 9.8 | | Weak cipher suites | RC4/DES/3DES enabled | HIGH | 7.5 | | Missing forward secrecy | No ECDHE/DHE ciphers | MEDIUM | 5.3 | | Certificate expired | Past expiration date | HIGH | 7.5 | | Self-signed certificate | No trusted CA | MEDIUM | 5.3 | | Certificate chain invalid | Missing intermediates | HIGH | 7.5 |
Sources: wshawk/wss_security_validator.py:126-137, wshawk/wss_security_validator.py:182-198, wshawk/wss_security_validator.py:202-213, wshawk/wss_security_validator.py:268-276, wshawk/wss_security_validator.py:284-295, wshawk/wss_security_validator.py:341-351
CVSS Implementation in Code
The CVSS scoring system is implemented through the add_finding method pattern used across all testing modules:
classDiagram
class DefensiveValidationModule {
+str target_url
+str oast_domain
+List findings
+add_finding(test_name, vulnerable, severity, description, recommendation, cvss, details)
}
class DNSExfiltrationTest {
+add_finding()
+test_dns_exfiltration_via_xxe()
+test_dns_exfiltration_via_ssrf()
}
class BotDetectionValidator {
+add_finding()
+test_basic_headless_detection()
+test_evasion_resistance()
}
class CSWSHValidator {
+add_finding()
+test_origin_validation()
+test_csrf_token_requirement()
}
class WSSSecurityValidator {
+List findings
+add_finding(test_name, vulnerable, severity, description, recommendation, cvss, details)
+test_tls_version_support()
+test_cipher_suites()
+test_certificate_signature_algorithm()
}
DefensiveValidationModule <|-- DNSExfiltrationTest
DefensiveValidationModule <|-- BotDetectionValidator
DefensiveValidationModule <|-- CSWSHValidator
style DefensiveValidationModule fill:#fff
style WSSSecurityValidator fill:#fff
Base Implementation: DefensiveValidationModule
The base class provides the add_finding method for standardized CVSS scoring:
def add_finding(self, test_name: str, vulnerable: bool, severity: str,
description: str, recommendation: str, cvss: float = 0.0):
"""Add a defensive validation finding"""
self.findings.append({
'test': test_name,
'vulnerable': vulnerable,
'severity': severity,
'description': description,
'recommendation': recommendation,
'cvss': cvss,
'timestamp': time.time()
})
Sources: wshawk/defensive_validation.py:35-46
Extended Implementation: WSSSecurityValidator
The WSS validator extends the pattern with additional details field:
def add_finding(self, test_name: str, vulnerable: bool, severity: str,
description: str, recommendation: str, cvss: float = 0.0,
details: Optional[Dict] = None):
"""Add a security finding"""
finding = {
'test': test_name,
'vulnerable': vulnerable,
'severity': severity,
'description': description,
'recommendation': recommendation,
'cvss': cvss,
'details': details or {}
}
self.findings.append(finding)
Sources: wshawk/wss_security_validator.py:75-88
CVSS Score Categories by Test Type
The following table summarizes typical CVSS score ranges for different test categories:
| Test Category | Vulnerability Type | Typical CVSS Range | Typical Severity | |---------------|-------------------|-------------------|------------------| | CSWSH | Missing Origin validation | 9.0 - 9.1 | CRITICAL | | CSWSH | Missing CSRF token | 7.5 | HIGH | | WSS Protocol | Deprecated TLS versions | 9.8 | CRITICAL | | WSS Protocol | Weak cipher suites | 7.5 | HIGH | | WSS Protocol | Certificate issues | 5.3 - 7.5 | MEDIUM - HIGH | | DNS Exfiltration | Egress filtering bypass | 7.5 - 8.2 | HIGH | | Bot Detection | Evasion resistance failure | 7.8 | HIGH | | Bot Detection | Basic detection failure | 5.3 | MEDIUM |
Sources: wshawk/defensive_validation.py:106-162, wshawk/defensive_validation.py:252-328, wshawk/defensive_validation.py:409-453, wshawk/wss_security_validator.py:126-351
Report Integration
CVSS scores are integrated into WSHawk's HTML reports and console output:
flowchart LR
subgraph "Data Collection"
Tests["Test Execution"]
Findings["findings[] array"]
end
subgraph "Score Aggregation"
Critical["Count CRITICAL<br/>9.0-10.0"]
High["Count HIGH<br/>7.0-8.9"]
Medium["Count MEDIUM<br/>4.0-6.9"]
Low["Count LOW<br/>0.1-3.9"]
end
subgraph "Output Generation"
Console["Console Summary<br/>Severity counts + CVSS"]
HTML["HTML Report<br/>wshawk_report_*.html"]
end
Tests --> Findings
Findings --> Critical
Findings --> High
Findings --> Medium
Findings --> Low
Critical --> Console
High --> Console
Medium --> Console
Low --> Console
Critical --> HTML
High --> HTML
Medium --> HTML
Low --> HTML
style Findings fill:#fff
style HTML fill:#fff
Console Output Example
# Severity counting logic
critical = sum(1 for f in all_findings if f['severity'] == 'CRITICAL')
high = sum(1 for f in all_findings if f['severity'] == 'HIGH')
medium = sum(1 for f in all_findings if f['severity'] == 'MEDIUM')
print(f"Findings:")
print(f" CRITICAL: {critical}")
print(f" HIGH: {high}")
print(f" MEDIUM: {medium}")
# Individual finding output
for finding in all_findings:
if finding['vulnerable']:
print(f"\n[{finding['severity']}] {finding['test']}")
print(f" Description: {finding['description']}")
print(f" Recommendation: {finding['recommendation']}")
if finding.get('cvss'):
print(f" CVSS: {finding['cvss']}")
Sources: wshawk/defensive_validation.py:539-555, wshawk/wss_security_validator.py:444-460
CVSS Assignment Guidelines
WSHawk assigns CVSS scores based on the following factors:
Impact Assessment
graph TB
subgraph "Impact Factors"
Factor1["Attack Complexity<br/>Easy vs Complex"]
Factor2["Privileges Required<br/>None vs User vs Admin"]
Factor3["User Interaction<br/>None vs Required"]
Factor4["Confidentiality Impact<br/>None vs Low vs High"]
Factor5["Integrity Impact<br/>None vs Low vs High"]
Factor6["Availability Impact<br/>None vs Low vs High"]
end
subgraph "Score Determination"
Factor1 --> Score["CVSS Score<br/>0.0 - 10.0"]
Factor2 --> Score
Factor3 --> Score
Factor4 --> Score
Factor5 --> Score
Factor6 --> Score
end
Score --> Severity["Severity Level<br/>INFO/LOW/MEDIUM/HIGH/CRITICAL"]
style Score fill:#fff
style Severity fill:#fff
Common Score Assignments
| Vulnerability Pattern | CVSS Score | Reasoning | |----------------------|------------|-----------| | No Origin validation (CSWSH) | 9.1 | No authentication required, session hijacking possible, high impact | | Deprecated TLS (SSLv3, TLS 1.0) | 9.8 | Known cryptographic weaknesses, MITM attacks, complete confidentiality loss | | DNS exfiltration possible | 7.5 - 8.2 | Data exfiltration channel, APT-style attacks, requires vulnerable endpoint | | Weak cipher suites | 7.5 | Cryptographic weaknesses, potential decryption, requires MITM position | | Missing CSRF token | 7.5 | State-changing actions possible, requires user interaction | | Bot detection bypass | 7.8 | Automated attacks possible, credential stuffing, account takeover | | Self-signed certificate | 5.3 | Trust validation issues, potential MITM, requires network position | | Basic bot detection failure | 5.3 | Basic automation possible, requires additional controls for full attack |
Sources: wshawk/defensive_validation.py:106-453, wshawk/wss_security_validator.py:126-351
References and Standards
WSHawk's CVSS implementation follows:
- CVSS v3.1 Specification: Industry-standard vulnerability scoring system
- OWASP Guidelines: Web application security best practices
- NIST Guidelines: Cryptographic standards and TLS recommendations
For detailed vulnerability detection implementation, see Vulnerability Detection Modules.
For defensive testing specifics, see Defensive Validation.
For report generation, see Report Format and Output.
Sources: README.md:18-29, CHANGELOG.md:27, wshawk/defensive_validation.py:1-558, wshawk/wss_security_validator.py:1-475