Agent skill

performing-web-application-vulnerability-triage

Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation.

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/performing-web-application-vulnerability-triage

SKILL.md

Performing Web Application Vulnerability Triage

Overview

Web application vulnerability triage is the process of reviewing findings from DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) tools to validate true positives, dismiss false positives, assign risk ratings using the OWASP Risk Rating Methodology, and prioritize remediation. Effective triage reduces alert fatigue and focuses development teams on the vulnerabilities that matter most.

Prerequisites

  • DAST scan results (OWASP ZAP, Burp Suite, Acunetix)
  • SAST scan results (Semgrep, SonarQube, Checkmarx, Snyk Code)
  • Python 3.9+ with requests, beautifulsoup4
  • Burp Suite Professional or OWASP ZAP for manual validation
  • DefectDojo or similar for finding management

OWASP Risk Rating Methodology

Risk Calculation

Risk = Likelihood x Impact

Likelihood Factors (0-9 scale)

Factor Group Factor Description
Threat Agent Skill Level How technically skilled is the attacker?
Threat Agent Motive How motivated is the attacker?
Threat Agent Opportunity What resources/access are needed?
Threat Agent Size How large is the potential threat agent group?
Vulnerability Ease of Discovery How easy is it to find the vulnerability?
Vulnerability Ease of Exploit How easy is it to exploit?
Vulnerability Awareness How well known is the vulnerability?
Vulnerability Intrusion Detection How likely is exploitation to be detected?

Impact Factors (0-9 scale)

Factor Group Factor Description
Technical Confidentiality How much data could be disclosed?
Technical Integrity How much data could be corrupted?
Technical Availability How much service could be lost?
Technical Accountability Can actions be traced to attacker?
Business Financial Damage Revenue loss, regulatory fines
Business Reputation Damage Brand trust erosion
Business Non-compliance Regulatory violation exposure
Business Privacy Violation PII/PHI exposure volume

Risk Matrix

Low Impact (0-3) Medium Impact (3-6) High Impact (6-9)
High Likelihood (6-9) Medium High Critical
Medium Likelihood (3-6) Low Medium High
Low Likelihood (0-3) Note Low Medium

Triage Process

Step 1: Categorize by OWASP Top 10

python
OWASP_TOP_10_2021 = {
    "A01": "Broken Access Control",
    "A02": "Cryptographic Failures",
    "A03": "Injection",
    "A04": "Insecure Design",
    "A05": "Security Misconfiguration",
    "A06": "Vulnerable and Outdated Components",
    "A07": "Identification and Authentication Failures",
    "A08": "Software and Data Integrity Failures",
    "A09": "Security Logging and Monitoring Failures",
    "A10": "Server-Side Request Forgery",
}

CWE_TO_OWASP = {
    "CWE-79": "A03",   # XSS -> Injection
    "CWE-89": "A03",   # SQL Injection
    "CWE-78": "A03",   # OS Command Injection
    "CWE-352": "A01",  # CSRF -> Access Control
    "CWE-22": "A01",   # Path Traversal
    "CWE-200": "A02",  # Information Exposure
    "CWE-327": "A02",  # Weak Cryptography
    "CWE-287": "A07",  # Authentication Issues
    "CWE-918": "A10",  # SSRF
    "CWE-502": "A08",  # Deserialization
    "CWE-611": "A05",  # XXE -> Misconfiguration
}

Step 2: Validate True vs False Positives

python
def triage_finding(finding):
    """Classify finding as true_positive, false_positive, or needs_review."""
    fp_indicators = [
        "Content-Security-Policy header not set",  # Often informational
        "X-Content-Type-Options header missing",    # Low severity header
        "Cookie without SameSite attribute",        # Context dependent
    ]

    for indicator in fp_indicators:
        if indicator.lower() in finding.get("title", "").lower():
            if finding.get("severity", "").lower() in ("info", "low"):
                return "false_positive", "Common informational finding"

    # Check for confirmed exploitation evidence
    if finding.get("evidence") and finding.get("confidence", "").lower() == "certain":
        return "true_positive", "Scanner confirmed exploitation"

    # SAST findings need manual code review
    if finding.get("source") == "sast":
        if finding.get("cwe") in ["CWE-89", "CWE-78", "CWE-79"]:
            return "needs_review", "Injection finding requires manual code review"

    return "needs_review", "Requires manual validation"

Step 3: Risk Score Calculation

python
def calculate_risk_score(finding, app_context):
    """Calculate OWASP risk rating for a web application finding."""
    # Likelihood factors
    likelihood = {
        "skill_level": 6 if finding["cwe"] in ["CWE-89", "CWE-79"] else 4,
        "motive": 7,  # Financial gain
        "opportunity": 7 if finding.get("authenticated") == False else 4,
        "size": 9 if finding.get("internet_facing") else 4,
        "ease_of_discovery": 8 if finding.get("scanner_detected") else 5,
        "ease_of_exploit": 7 if finding.get("exploit_available") else 4,
        "awareness": 6,
        "intrusion_detection": 3 if app_context.get("waf_enabled") else 8,
    }

    # Impact factors
    impact = {
        "confidentiality": 9 if "data_exposure" in finding.get("tags", []) else 5,
        "integrity": 9 if finding["cwe"] in ["CWE-89", "CWE-78"] else 4,
        "availability": 7 if "dos" in finding.get("tags", []) else 2,
        "accountability": 3 if app_context.get("logging_enabled") else 7,
        "financial": 7 if app_context.get("processes_payments") else 3,
        "reputation": 6 if app_context.get("customer_facing") else 2,
        "compliance": 8 if app_context.get("pci_scope") else 3,
        "privacy": 9 if app_context.get("handles_pii") else 2,
    }

    likelihood_score = sum(likelihood.values()) / len(likelihood)
    impact_score = sum(impact.values()) / len(impact)
    risk_score = likelihood_score * impact_score

    if risk_score >= 42:
        risk_level = "Critical"
    elif risk_score >= 24:
        risk_level = "High"
    elif risk_score >= 12:
        risk_level = "Medium"
    elif risk_score >= 3:
        risk_level = "Low"
    else:
        risk_level = "Note"

    return {
        "likelihood_score": round(likelihood_score, 1),
        "impact_score": round(impact_score, 1),
        "risk_score": round(risk_score, 1),
        "risk_level": risk_level,
    }

Step 4: Generate Triage Report

bash
# Process DAST/SAST results through triage pipeline
python3 scripts/process.py \
  --input zap_results.json \
  --format zap \
  --app-context app_config.json \
  --output triage_report.json

Manual Validation Techniques

SQL Injection Validation

# Test parameter with single quote
GET /search?q=test' HTTP/1.1

# Test with boolean-based payload
GET /search?q=test' AND 1=1-- HTTP/1.1
GET /search?q=test' AND 1=2-- HTTP/1.1

# Time-based verification
GET /search?q=test'; WAITFOR DELAY '0:0:5'-- HTTP/1.1

XSS Validation

# Reflected XSS test
GET /search?q=<script>alert(document.domain)</script> HTTP/1.1

# Check if output is encoded
GET /search?q="><img src=x onerror=alert(1)> HTTP/1.1

# DOM-based XSS
GET /page#<img src=x onerror=alert(1)> HTTP/1.1

References

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results