Chapter 11 Exercises: Vulnerability Assessment

These exercises build vulnerability assessment skills from conceptual understanding through practical application. They are designed to complement the scanning skills developed in Chapter 10 by adding the critical layers of classification, validation, prioritization, and communication.

⚠️ Authorization Reminder: Only perform vulnerability scanning and assessment activities against systems you own or have explicit written permission to test.

Foundational Exercises

Exercise 11.1: CVE Research and Analysis

Select three of the following CVEs and, for each one, research and document:

  • CVE-2021-44228 (Log4Shell)
  • CVE-2017-5638 (Apache Struts)
  • CVE-2017-0144 (EternalBlue)
  • CVE-2021-34527 (PrintNightmare)
  • CVE-2023-34362 (MOVEit Transfer)
  • CVE-2014-0160 (Heartbleed)

For each selected CVE, document: (a) the CVE description, (b) the CVSS v3.1 base score and vector string, (c) the affected software and versions, (d) the root cause (CWE), (e) whether a public exploit exists, (f) whether it appears on the CISA KEV list, (g) the recommended remediation. Present your findings in a structured table format.

Exercise 11.2: CVSS Scoring Practice

Calculate the CVSS v3.1 base score for each of the following vulnerability scenarios. Show your work by specifying each metric value and explaining your reasoning:

  1. A SQL injection vulnerability in a public-facing web application that allows an unauthenticated attacker to read the entire database. The web server continues to function normally.

  2. A local privilege escalation vulnerability in a Linux kernel that requires the attacker to already have a low-privilege shell. Exploitation is reliable and grants root access.

  3. A cross-site scripting (XSS) vulnerability that requires a victim to click a malicious link. If clicked, the attacker can steal the user's session cookie for the application.

  4. A buffer overflow in a VPN appliance that allows an unauthenticated remote attacker to execute arbitrary code, crashing the VPN service in the process.

  5. A default credential on an SNMP service on an internal network printer, accessible only from the same subnet.

Exercise 11.3: Vulnerability Assessment vs. Penetration Testing

A potential client contacts your firm and says: "We need a pentest before our PCI DSS audit next month." After discussing their needs, you realize they have never had any security assessment before and have 500 hosts across multiple subnets.

Write a 500-word recommendation explaining: (a) why a vulnerability assessment should be the first step rather than a penetration test, (b) how the two approaches complement each other, (c) a phased plan for their security assessment program, and (d) how the vulnerability assessment supports their PCI DSS compliance goals.

Exercise 11.4: Vulnerability Database Exploration

Using the National Vulnerability Database (nvd.nist.gov):

  1. Search for all CVEs affecting "Apache HTTP Server" published in the last 12 months.
  2. Categorize them by severity (Critical, High, Medium, Low).
  3. Identify which ones have known exploits (check Exploit-DB).
  4. Create a risk matrix showing the distribution of vulnerabilities by severity and exploit availability.
  5. Write a brief advisory (200 words) for a system administrator running Apache HTTP Server, summarizing the most critical findings and recommended actions.

Intermediate Exercises

Exercise 11.5: Authenticated vs. Unauthenticated Scanning

In your Student Home Lab:

  1. Run an unauthenticated vulnerability scan against your Metasploitable VM using OpenVAS or Nessus Essentials.
  2. If possible, run an authenticated scan against the same target (configure SSH credentials).
  3. Compare the results: (a) total number of findings, (b) severity distribution, (c) types of vulnerabilities found only in the authenticated scan.
  4. Write a 300-word analysis explaining why the authenticated scan found more vulnerabilities and what categories of findings are only visible with credentials.

Exercise 11.6: False Positive Identification

After running a vulnerability scan against your lab environment, select 10 findings of varying severity and manually validate each one:

  1. For each finding, document: the scanner's claim, your validation method, and whether it is a true positive or false positive.
  2. Calculate the false positive rate for your sample.
  3. Identify patterns — are certain types of findings more likely to be false positives?
  4. Write recommendations for improving scan accuracy based on your findings.

Exercise 11.7: CVSS Calculator Implementation

Using the example-01-cvss-calculator.py code from this chapter's code directory:

  1. Run the calculator to score three real CVEs and compare your scores with the NVD's published scores.
  2. Modify the calculator to also compute temporal scores using the temporal metric equations.
  3. Add a function that takes a CVSS vector string (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H") and parses it into individual metrics.
  4. Create unit tests that verify your calculator produces correct scores for at least five known CVEs.

Exercise 11.8: Risk-Adjusted Prioritization

You have received the following vulnerability scan results for a healthcare organization. Prioritize them using both CVSS and business context:

Finding CVSS System Data Exposure
Log4Shell in EHR system 10.0 Production PHI Internal
SQL injection in patient portal 9.8 Production PHI Internet-facing
Missing patches on dev server 7.5 Development Test data Internal
Default SNMP on switches 7.5 Network infra N/A Internal
Weak TLS on internal wiki 5.3 Non-critical None Internal
XSS in benefits enrollment 6.1 Production PII Internal
SMBv1 on file server 9.8 Production PHI Internal
Outdated jQuery on marketing site 6.1 Marketing None Internet-facing

Rank these from highest to lowest priority, explaining your reasoning for each ranking. Your prioritization should differ from a simple CVSS sort.

Exercise 11.9: Vulnerability Report Writing

Using the findings from Exercise 11.6 (or hypothetical findings if needed), write a professional vulnerability finding entry for the single most critical true positive. Include:

  1. Title with CVE reference
  2. Severity rating (CVSS + risk-adjusted)
  3. Affected systems
  4. Detailed description
  5. Evidence (screenshots/command output)
  6. Business impact analysis
  7. Step-by-step remediation instructions
  8. References

Follow the finding template format shown in Section 11.7.2.

Advanced Exercises

Exercise 11.10: Multi-Scanner Comparison

Run at least two different vulnerability scanners against the same target:

  1. Choose from: Nessus Essentials, OpenVAS, Nuclei, Nikto, or any other available scanner.
  2. Document findings from each scanner in a normalized format.
  3. Create a Venn diagram showing unique findings per scanner and overlapping findings.
  4. Calculate agreement rate, unique detection rate, and estimated false positive rate for each scanner.
  5. Write a 500-word analysis recommending a multi-scanner strategy for different engagement types.

Exercise 11.11: Vulnerability Report Generator

Extend the example-02-vuln-report-generator.py code from this chapter:

  1. Add support for importing Nessus (.nessus XML) scan results.
  2. Implement automatic CVSS score lookup for CVE findings using the NVD API.
  3. Add a chart generation feature showing finding distribution by severity.
  4. Generate both executive summary and detailed technical reports.
  5. Include a remediation prioritization timeline based on severity and asset criticality.

Exercise 11.12: Historical Vulnerability Trend Analysis

Using NVD data:

  1. Query the NVD API for all CVEs published in the last three years.
  2. Analyze trends: (a) total CVEs per year, (b) severity distribution changes, (c) most affected vendors, (d) most common CWE categories.
  3. Create visualizations showing these trends.
  4. Write a 500-word analysis discussing what the trends mean for vulnerability assessment professionals and how assessment methodologies should adapt.

Exercise 11.13: ShopStack Vulnerability Assessment

You have been provided with the following scan results from the ShopStack staging environment (simulated data — no actual scanning required for this exercise):

Web Application (shopstack-staging.local): - jQuery 3.3.1 (CVE-2020-11022, CVSS 6.1) - Express.js 4.17.1 (CVE-2022-24999, CVSS 7.5) - GraphQL introspection enabled (no CVE, information disclosure) - Missing Content-Security-Policy header - WordPress 5.8 at /blog/ with 3 vulnerable plugins

Database Server (db.shopstack-staging.local): - PostgreSQL 12.3 (CVE-2022-1552, CVSS 8.8) - Remote connections from any IP (pg_hba.conf misconfiguration) - Weak password on postgres user

Redis (redis.shopstack-staging.local): - Redis 6.0.9 (CVE-2021-32675, CVSS 7.5) - No authentication required - Bound to 0.0.0.0

Complete the following: 1. Validate each finding (describe how you would validate it). 2. Calculate or look up CVSS scores. 3. Prioritize all findings considering ShopStack's e-commerce business context. 4. Write a one-page executive summary. 5. Write detailed finding entries for the top three priorities. 6. Create a remediation roadmap with timelines.

Exercise 11.14: Building a Vulnerability Assessment Methodology

Design a complete vulnerability assessment methodology document for a consulting firm. Include:

  1. Pre-engagement activities (scoping, authorization, scheduling)
  2. Tool selection criteria and recommended toolset
  3. Scanning methodology (phases, configurations, timing)
  4. Validation and verification procedures
  5. Risk rating framework
  6. Report template and quality assurance process
  7. Remediation support and retest procedures
  8. Continuous improvement process

The methodology should be at least 2,000 words and reference industry standards (PTES, OWASP, NIST).

Exercise 11.15: Automated Vulnerability Tracking Dashboard

Design (and optionally implement) a vulnerability tracking dashboard that:

  1. Imports findings from Nessus, OpenVAS, and Nuclei scan results.
  2. Normalizes findings to a common format (CVE, severity, affected host).
  3. Deduplicates findings across scanners.
  4. Tracks remediation status (Open, In Progress, Remediated, Accepted Risk).
  5. Calculates aggregate risk scores per host, per subnet, and overall.
  6. Displays trending data over time.
  7. Generates alerts for critical new findings or overdue remediation.

Provide architecture diagrams, data schemas, and UI mockups. If implementing, use Python with a web framework of your choice.

Reflection Questions

Exercise 11.16: The Ethics of Vulnerability Disclosure

During a vulnerability assessment for Client A, you discover that their third-party SaaS provider has a critical vulnerability that could expose Client A's data. The SaaS provider is not in your scope of testing. Write a 500-word essay addressing: (a) your obligations to Client A, (b) your obligations (if any) to the SaaS provider, (c) the ethical framework for handling this situation, and (d) how you would advise Client A.

Exercise 11.17: Vulnerability Assessment Limitations

Your client's CISO asks: "If we run weekly vulnerability scans, are we secure?" Write a 400-word response explaining the limitations of vulnerability assessment, including: (a) what it catches, (b) what it misses, (c) how it should be combined with other security activities, and (d) common misconceptions about vulnerability scanning.

Exercise 11.18: Responsible Vulnerability Management

You deliver a vulnerability assessment report with 15 critical findings to a healthcare organization. Six months later, a follow-up assessment reveals that none of the critical findings have been remediated. Write a 400-word analysis discussing: (a) potential organizational reasons for this, (b) the tester's responsibility, (c) how to write reports that drive action, and (d) what the organization should do differently.

Exercise 11.19: AI and Vulnerability Assessment

Research and write a 500-word analysis of how artificial intelligence and machine learning are being applied to vulnerability assessment. Consider: (a) automated vulnerability detection, (b) intelligent prioritization, (c) false positive reduction, (d) exploit prediction, and (e) the limitations and risks of AI-assisted assessment.

Exercise 11.20: Building Your Assessment Toolkit

Document your personal vulnerability assessment toolkit. For each tool, explain: (a) what it does, (b) when you use it, (c) its strengths and limitations, and (d) how it integrates with your workflow. Include at least eight tools spanning network scanning, web application testing, vulnerability scanning, and reporting.