exploitability-analyzer
Analyze detected vulnerabilities to assess realistic exploitability by examining control flow, input sources, sanitization logic, and execution context. Use when users need to: (1) Determine if a vulnerability is actually exploitable in practice, (2) Assess severity and impact of security issues, (3) Prioritize vulnerability remediation, (4) Understand attack vectors and exploitation conditions, (5) Generate exploitability reports with proof-of-concept scenarios. Focuses on injection vulnerabilities (SQL, command, XSS, path traversal, LDAP) with detailed analysis of reachability, controllability, sanitization, and impact.
git clone --depth 1 https://github.com/ArabelaTso/Skills-4-SE /tmp/exploitability-analyzer && cp -r /tmp/exploitability-analyzer/skills/exploitability-analyzer ~/.claude/skills/exploitability-analyzerSKILL.md
# Exploitability Analyzer
Assess whether detected vulnerabilities are realistically exploitable.
## Overview
This skill analyzes security vulnerabilities to determine if they're actually exploitable in practice. It examines control flow to assess reachability, traces input sources to evaluate controllability, analyzes sanitization logic, and considers execution context to provide realistic exploitability assessments with severity ratings.
## How to Use
Provide:
1. **Vulnerable code**: The code containing the vulnerability
2. **Vulnerability type**: SQL injection, XSS, command injection, etc.
3. **Context**: Surrounding code, input sources, sanitization functions
4. **Environment** (optional): Execution privileges, security controls
The skill will analyze:
- **Reachability**: Can attackers reach the vulnerable code?
- **Controllability**: Can attackers control the vulnerable input?
- **Sanitization**: Is input properly sanitized?
- **Impact**: What damage can be caused?
- **Exploitability**: Overall assessment (Critical/High/Medium/Low/None)
## Analysis Workflow
### Step 1: Identify Vulnerability Type
Classify the vulnerability:
- SQL Injection
- Command Injection
- Cross-Site Scripting (XSS)
- Path Traversal
- LDAP Injection
- Other injection types
### Step 2: Trace Data Flow
Follow the data from source to sink:
**Source**: Where does the input originate?
- User input (query params, POST data, headers)
- Database values (second-order injection)
- Configuration files
- Environment variables
- Hardcoded values
**Transformations**: What happens to the input?
- Validation checks
- Sanitization functions
- Encoding/escaping
- String operations
**Sink**: Where is the input used dangerously?
- SQL query execution
- System command execution
- HTML rendering
- File system operations
### Step 3: Assess Reachability
**Question**: Can an attacker reach the vulnerable code path?
**Critical**: Public endpoint, no authentication
**High**: Authenticated endpoint, common user role
**Medium**: Requires specific conditions or privileges
**Low**: Admin-only, internal function, rare code path
**None**: Dead code, unreachable
### Step 4: Evaluate Controllability
**Question**: Can an attacker control the vulnerable input?
**High**: Direct user input (GET/POST parameters, headers)
**Medium**: Indirect control (database, config files)
**Low**: Derived values, heavily processed
**None**: Hardcoded, system-generated
### Step 5: Analyze Sanitization
**Question**: Is the input properly sanitized?
**None**: No sanitization, direct pass-through
**Weak**: Blacklist filtering, incomplete escaping
**Partial**: Some sanitization but bypassable
**Strong**: Whitelist validation, proper escaping, parameterization
### Step 6: Determine Impact
**Question**: What damage can an attacker cause?
**Critical**: Remote code execution, full system compromise
**High**: Data breach, privilege escalation, DoS
**Medium**: Limited data access, information disclosure
**Low**: Minor information leak, cosmetic issues
### Step 7: Calculate Exploitability
Combine factors to determine overall exploitability:
| Reachability | Controllability | Sanitization | Impact | Exploitability |
|--------------|-----------------|--------------|---------|----------------|
| High | High | None | Critical | **CRITICAL** |
| High | High | Weak | High | **HIGH** |
| High | High | Partial | Medium | **MEDIUM** |
| Medium | Medium | Strong | Low | **LOW** |
| Any | Any | Strong | Any | **NONE** |
## Example: SQL Injection (Critical)
**Vulnerable Code**:
```python
@app.route('/user')
def get_user():
username = request.args.get('username')
query = f"SELECT * FROM users WHERE username = '{username}'"
cursor.execute(query)
return cursor.fetchone()
```
**Analysis**:
**1. Vulnerability Type**: SQL Injection
**2. Data Flow**:
- **Source**: `request.args.get('username')` - user-controlled query parameter
- **Transformations**: None - direct string formatting
- **Sink**: `cursor.execute(query)` - SQL execution
**3. Reachability**: **High**
- Public endpoint (`/user`)
- No authentication required
- Easily accessible via HTTP GET
**4. Controllability**: **High**
- Direct user input via query parameter
- Attacker has full control over `username` value
- No restrictions on input format
**5. Sanitization**: **None**
- No input validation
- No escaping or parameterization
- Direct string formatting with f-string
- SQL metacharacters not filtered
**6. Impact**: **Critical**
- Full database access possible
- Can extract all user data
- Potential for data modification/deletion
- May enable privilege escalation
- Possible RCE via stored procedures (database-dependent)
**7. Exploitability**: **CRITICAL**
**Proof-of-Concept**:
```
GET /user?username=' OR '1'='1' --
```
This bypasses authentication and returns all users.
**Advanced Exploit**:
```
GET /user?username=' UNION SELECT password FROM admin_users --
```
This extracts admin passwords.
**Remediation**:
```python
@app.route('/user')
def get_user():
username = request.args.get('username')
# Use parameterized query
query = "SELECT * FROM users WHERE username = ?"
cursor.execute(query, (username,))
return cursor.fetchone()
```
## Example: Command Injection (High)
**Vulnerable Code**:
```python
@app.route('/ping')
def ping_host():
host = request.form.get('host')
if ';' in host or '|' in host:
return "Invalid host"
result = os.system(f"ping -c 4 {host}")
return f"Ping result: {result}"
```
**Analysis**:
**1. Vulnerability Type**: Command Injection
**2. Data Flow**:
- **Source**: `request.form.get('host')` - user-controlled POST parameter
- **Transformations**: Blacklist check for `;` and `|`
- **Sink**: `os.system()` - shell command execution
**3. Reachability**: **High**
- Public endpoint
- POST request (slightly less accessible than GET)
- No authentication
**4. Controllability**: **High**
- Direct user input
- Attacker conApplies abstract interpretation using different abstract domains (intervals, octagons, polyhedra, sign, congruence) to statically analyze program variables and infer invariants, value ranges, and relationships. Use when analyzing program properties, inferring loop invariants, detecting potential errors, or understanding variable relationships through static analysis.
Uses abstract interpretation to automatically infer loop invariants, function preconditions, and postconditions for formal verification. Generates invariants that capture program behavior and support correctness proofs in Dafny, Isabelle, Coq, and other verification systems. Use when adding formal specifications to code, generating verification conditions, inferring contracts for functions, or discovering loop invariants for proofs.
Performs abstract interpretation over source code to infer possible program states, variable ranges, and data properties without executing the program. Reports potential runtime errors including out-of-bounds accesses, null dereferences, type inconsistencies, division by zero, and integer overflows. Use when analyzing code for potential runtime errors, performing static analysis, checking safety properties, or verifying program behavior without execution.
Performs abstract interpretation to produce summarized execution traces and high-level program behavior representations. Highlights key control flow paths, variable relationships, loop invariants, function summaries, and potential runtime states using abstract domains (intervals, signs, nullness, etc.). Use when analyzing program behavior, understanding execution paths, computing loop invariants, tracking variable ranges, detecting potential runtime errors, or generating program summaries without concrete execution.
Create ACSL (ANSI/ISO C Specification Language) formal annotations for C/C++ programs. Use this skill when working with formal verification, adding function contracts (requires/ensures), loop invariants, assertions, memory safety annotations, or any ACSL specifications. Supports Frama-C verification and generates comprehensive formal specifications for C/C++ code.
CLI-based browser automation with persistent page state using ref-based element interaction. Use when users ask to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.
Detects and analyzes ambiguous language in software requirements and user stories. Use when reviewing requirements documents, user stories, specifications, or any software requirement text to identify vague quantifiers, unclear scope, undefined terms, missing edge cases, subjective language, and incomplete specifications. Provides detailed analysis with clarifying questions and suggested improvements.
Design and review APIs with suggestions for endpoints, parameters, return types, and best practices. Use when designing new APIs from requirements, reviewing existing API designs, generating API documentation, or getting implementation guidance. Supports REST APIs with focus on endpoint structure, request/response schemas, authentication, pagination, filtering, versioning, and OpenAPI specifications. Triggers when users ask to design, review, document, or improve APIs.