Report Penetration Test: Example of Prioritizing (en)
To provide suitable recommendations for an IT team related to security vulnerability fixes, risk prioritization is based on the severity level of each vulnerability. The severity level is calculated using the Common Vulnerability Scoring System (CVSS), which considers the impact and probability of exploitation for each vulnerability.
Risk Categories
The vulnerabilities found in this security testing have been categorized into four main risk categories, based on the CVSS score:
- High Risk (Tinggi): CVSS Score > 7.0
- Vulnerabilities with high risk should be the top priority to fix because they can be easily exploited and cause serious damage, such as data breaches, escalated access, or
unauthorized access to internal systems.
- Example Vulnerability**: SQL Injection found in the `/login.php` endpoint allows attackers to execute a malicious database query to steal user credentials or gain
administrative access to the application.
- Medium Risk (Sedang): CVSS Score between 4.0 and 7.0
- Vulnerabilities with medium risk can be exploited by attackers, but require certain conditions or technical expertise to exploit. Although they are not as critical, they still
need to be fixed to prevent potential escalation of attacks.
- Example Vulnerability**: Cross-Site Scripting (XSS) found in a search form allows script injection into the web application.
- Low Risk (Rendah): CVSS Score < 4.0
- Vulnerabilities with low risk usually require specific conditions to be exploited or have limited impact on systems and data. Fixing these vulnerabilities can be prioritized
after fixing high-risk and medium-risk ones are completed.
- Example Vulnerability**: Excessive server configuration information displayed in the `500` error page.
- Informational
- Some findings are more informative recommendations for best security practices, and are not considered direct threats. These recommendations can be implemented according to
available resources.
- Example Finding**: The web server does not block rarely used HTTP methods such as `TRACE` or `OPTIONS`.
Example Prioritization Table
Here is a table summarizing the findings based on their risk levels:
| No | Vulnerability | Location | Risk Level | CVSS Score | Recommendation for Fix | Deadline for Fix |
|---|---|---|---|---|---|---|
| 1 | SQL Injection | `/login.php` | High | 9.0 | Validate input and use ORM | 1 Week |
| 2 | XSS (Cross-Site Scripting) | `/search.php` | Medium | 6.5 | Escape output and filter input | 2 Weeks |
| 3 | Information Disclosure | Halaman error `500` | Low | 2.5 | Hide server details in logs | 4 Weeks |
| 4 | Unsecure HTTP Methods | Konfigurasi server | Informational | N/A | Disable TRACE/OPTIONS methods | N/A |
Mitigation and Implementation Strategies
After conducting risk assessment, the following mitigation strategies are recommended:
- High Priority: Immediately patch and update systems for vulnerabilities with high risk. Ideally, this should be done within 1 week to prevent further exploitation.
- Medium Priority: Implement fixes for vulnerabilities with medium risk within 2 weeks. Ensure that no gaps can be combined with other vulnerabilities to increase the risk
level.
- Low and Informational Priorities: Fix these vulnerabilities gradually by using patches or system configuration improvements. Focus on improving security settings and
preventing future attacks.
Conclusion
Determining vulnerability priority based on severity is designed to maximize the use of security resources efficiently, focusing primarily on vulnerabilities with the greatest potential impact on system security. Implementing recommended fixes will increase security posture and reduce the risk of future attacks.