CVSS Scoring System
CVSS Scoring System
Relevant source files
Purpose and Scope
This document explains how WSHawk implements CVSS v3.1 (Common Vulnerability Scoring System) scoring for standardized vulnerability risk assessment. CVSS scoring is applied to all findings from both offensive testing (vulnerability detection) and defensive validation (security control testing).
For information about specific vulnerability detection modules, see Vulnerability Detection Modules. For defensive validation tests, see Defensive Validation. For report format details, see Report Format and Output.
CVSS v3.1 Overview
WSHawk uses CVSS v3.1 to provide industry-standard severity ratings for all security findings. Each vulnerability or security control failure is assigned a numerical score from 0.0 to 10.0, which is then mapped to a severity level.
Key Characteristics
| Attribute | Value | | --- | --- | | Standard Version | CVSS v3.1 | | Score Range | 0.0 - 10.0 | | Precision | One decimal place (e.g., 7.5, 9.1) | | Severity Levels | INFO, LOW, MEDIUM, HIGH, CRITICAL | | Application Scope | Offensive testing + Defensive validation |
Sources: README.md L18-L29
Severity Level Mapping
WSHawk maps CVSS scores to five severity levels following industry-standard ranges:
Severity Level Definitions
| Severity | Score Range | Description | Action Priority | | --- | --- | --- | --- | | CRITICAL | 9.0 - 10.0 | Severe vulnerabilities requiring immediate remediation | Immediate | | HIGH | 7.0 - 8.9 | Serious security issues requiring urgent attention | Urgent | | MEDIUM | 4.0 - 6.9 | Moderate vulnerabilities requiring timely fixes | Scheduled | | LOW | 0.1 - 3.9 | Minor issues with limited impact | Optional | | INFO | 0.0 | Informational findings, no vulnerability present | None |
Sources: wshawk/defensive_validation.py L35-L46
wshawk/wss_security_validator.py L75-L88
Finding Data Structure
Each security finding in WSHawk includes CVSS scoring as part of a standardized structure:
Example Finding Structure
Sources: wshawk/defensive_validation.py L35-L46
wshawk/wss_security_validator.py L75-L88
CVSS Score Assignment Flow
The following diagram shows how CVSS scores are assigned during vulnerability detection and defensive validation:
Sources: wshawk/defensive_validation.py L27-L46
wshawk/wss_security_validator.py L75-L88
Defensive Validation CVSS Scores
WSHawk's defensive validation modules assign CVSS scores based on the security control being tested:
DNS Exfiltration Prevention Test
| Test Case | Vulnerable Status | Severity | CVSS Score | | --- | --- | --- | --- | | XXE-based DNS exfiltration | Control fails | HIGH | 7.5 | | SSRF-based DNS exfiltration | Control fails | HIGH | 8.2 | | DNS egress filtering | Control works | INFO | 0.0 |
Sources: wshawk/defensive_validation.py L106-L116
wshawk/defensive_validation.py L154-L162
Bot Detection Validation Test
| Test Case | Vulnerable Status | Severity | CVSS Score | | --- | --- | --- | --- | | Basic headless detection fails | Bot not detected | MEDIUM | 5.3 | | Evasion resistance fails | Bot evades detection | HIGH | 7.8 | | Bot successfully detected | Control works | INFO | 0.0 |
Sources: wshawk/defensive_validation.py L252-L260
wshawk/defensive_validation.py L320-L328
CSWSH (Cross-Site WebSocket Hijacking) Test
| Test Case | Vulnerable Status | Severity | CVSS Score | | --- | --- | --- | --- | | Origin header not validated | Accepts malicious origins | CRITICAL | 9.1 | | CSRF token not required | Missing CSRF protection | HIGH | 7.5 | | Origin validation enforced | Control works | INFO | 0.0 |
Sources: wshawk/defensive_validation.py L409-L418
wshawk/defensive_validation.py L445-L453
WSS Protocol Security Validation
| Test Case | Vulnerable Status | Severity | CVSS Score | | --- | --- | --- | --- | | Deprecated TLS versions supported | TLS 1.0/1.1/SSLv3 enabled | CRITICAL | 9.8 | | Weak cipher suites | RC4/DES/3DES enabled | HIGH | 7.5 | | Missing forward secrecy | No ECDHE/DHE ciphers | MEDIUM | 5.3 | | Certificate expired | Past expiration date | HIGH | 7.5 | | Self-signed certificate | No trusted CA | MEDIUM | 5.3 | | Certificate chain invalid | Missing intermediates | HIGH | 7.5 |
Sources: wshawk/wss_security_validator.py L126-L137
wshawk/wss_security_validator.py L182-L198
wshawk/wss_security_validator.py L202-L213
wshawk/wss_security_validator.py L268-L276
wshawk/wss_security_validator.py L284-L295
wshawk/wss_security_validator.py L341-L351
CVSS Implementation in Code
The CVSS scoring system is implemented through the add_finding method pattern used across all testing modules:
Base Implementation: DefensiveValidationModule
The base class provides the add_finding method for standardized CVSS scoring:
Sources: wshawk/defensive_validation.py L35-L46
Extended Implementation: WSSSecurityValidator
The WSS validator extends the pattern with additional details field:
Sources: wshawk/wss_security_validator.py L75-L88
CVSS Score Categories by Test Type
The following table summarizes typical CVSS score ranges for different test categories:
| Test Category | Vulnerability Type | Typical CVSS Range | Typical Severity | | --- | --- | --- | --- | | CSWSH | Missing Origin validation | 9.0 - 9.1 | CRITICAL | | CSWSH | Missing CSRF token | 7.5 | HIGH | | WSS Protocol | Deprecated TLS versions | 9.8 | CRITICAL | | WSS Protocol | Weak cipher suites | 7.5 | HIGH | | WSS Protocol | Certificate issues | 5.3 - 7.5 | MEDIUM - HIGH | | DNS Exfiltration | Egress filtering bypass | 7.5 - 8.2 | HIGH | | Bot Detection | Evasion resistance failure | 7.8 | HIGH | | Bot Detection | Basic detection failure | 5.3 | MEDIUM |
Sources: wshawk/defensive_validation.py L106-L162
wshawk/defensive_validation.py L252-L328
wshawk/defensive_validation.py L409-L453
wshawk/wss_security_validator.py L126-L351
Report Integration
CVSS scores are integrated into WSHawk's HTML reports and console output:
Console Output Example
Sources: wshawk/defensive_validation.py L539-L555
wshawk/wss_security_validator.py L444-L460
CVSS Assignment Guidelines
WSHawk assigns CVSS scores based on the following factors:
Impact Assessment
Common Score Assignments
| Vulnerability Pattern | CVSS Score | Reasoning | | --- | --- | --- | | No Origin validation (CSWSH) | 9.1 | No authentication required, session hijacking possible, high impact | | Deprecated TLS (SSLv3, TLS 1.0) | 9.8 | Known cryptographic weaknesses, MITM attacks, complete confidentiality loss | | DNS exfiltration possible | 7.5 - 8.2 | Data exfiltration channel, APT-style attacks, requires vulnerable endpoint | | Weak cipher suites | 7.5 | Cryptographic weaknesses, potential decryption, requires MITM position | | Missing CSRF token | 7.5 | State-changing actions possible, requires user interaction | | Bot detection bypass | 7.8 | Automated attacks possible, credential stuffing, account takeover | | Self-signed certificate | 5.3 | Trust validation issues, potential MITM, requires network position | | Basic bot detection failure | 5.3 | Basic automation possible, requires additional controls for full attack |
Sources: wshawk/defensive_validation.py L106-L453
wshawk/wss_security_validator.py L126-L351
References and Standards
WSHawk's CVSS implementation follows:
- CVSS v3.1 Specification: Industry-standard vulnerability scoring system
- OWASP Guidelines: Web application security best practices
- NIST Guidelines: Cryptographic standards and TLS recommendations
For detailed vulnerability detection implementation, see Vulnerability Detection Modules.
For defensive testing specifics, see Defensive Validation.
For report generation, see Report Format and Output.
Sources: README.md L18-L29