## https://sploitus.com/exploit?id=E12BF17A-26CE-5EE3-A4A4-2FA05BBADA41
# DefaceMeter
DefaceMeter is a small, static, browser-based prototype that estimates the *likelihood of a website defacement* given a JSON vulnerability report.
You upload a report (see `sample_report.json`), optionally tune the weights of three factors, and DefaceMeter calculates:
- A per-vulnerability contribution score `Vi`
- An aggregate probability that **at least one** vulnerability could plausibly lead to a defacement outcome (using an independence approximation)
- A single “DefacementScore” shown as a percentage gauge
This project is intentionally lightweight: it runs entirely in the browser with plain HTML/CSS/JavaScript and requires no build step.
---
## What’s in this repo
- `index.html` — UI layout (upload panel, processing panel, results panel)
- `styles.css` — visual styling (glass panels, gauge, table, loader)
- `app.js` — scoring model + UI logic
- `sample_report.json` — an example input file you can use to demo the tool
---
## How it works (scoring model)
DefaceMeter builds a probability from three normalized factors per vulnerability:
### 1) Criticality factor `C`
Derived from CVSS:
- `C = clamp(cvss, 0..10) / 10`
So a CVSS 10.0 maps to `C = 1.0` and CVSS 5.0 maps to `C = 0.5`.
### 2) Exploitability factor `E`
A simple heuristic based on exploit flags:
- If `public_exploit=true` **and** `metasploit=true` → `E = 1.0`
- Else if `poc=true` → `E = 0.8`
- Else if `complex_poc=true` → `E = 0.5`
- Else → `E = 0.05`
If the `exploit` object is missing or invalid, DefaceMeter defaults to `0.05`.
### 3) Historical factor `H`
Normalizes a vulnerability’s historical usage/frequency (`historical.count`) relative to the maximum count in the uploaded dataset:
- `H = log(1 + count) / log(1 + maxCount)`
If counts are missing or invalid, DefaceMeter uses `0.05`.
### Per-vulnerability contribution `Vi`
Each vulnerability gets a weighted score:
- `Vi = wC * C + wE * E + wH * H`
Weights are user-adjustable (`C`, `E`, `H`) and are automatically normalized to sum to 1.
### Aggregate probability and displayed score
To convert multiple `Vi` values into one number, DefaceMeter uses an independent-event approximation:
- `RawProb = 1 - ∏(1 - Vi)`
- `DefacementScore = 100 * RawProb`
This is why the UI warns: *“Interpret cautiously: This is a synthesized probability using independent event approximation.”*
---
## Expected input format (JSON)
DefaceMeter expects JSON shaped like this (matching the schema shown in the UI):
```json
{
"meta": { "generated": "ISO8601", "scope": "string", "tool": "string" },
"weights": { "C": 0.5, "E": 0.3, "H": 0.2 },
"vulnerabilities": [
{
"id": "string",
"title": "string",
"cvss": 9.8,
"exploit": {
"public_exploit": true,
"metasploit": false,
"poc": true,
"complex_poc": false
},
"historical": { "count": 37, "class": "SQL Injection" },
"category": "Injection",
"asset": "api.example.com",
"description": "Human readable...",
"references": ["https://..."],
"tags": ["critical", "webapp", "sqli"]
}
]
}
```
Notes:
- `weights` in the JSON is optional; the UI also allows overriding weights.
- `historical.count` is used for the historical normalization.
- Extra fields are ignored by the scoring logic (but may appear in the raw JSON viewer).
---
## How to run
Because the UI fetches `sample_report.json` for the “Download Sample JSON” link, the simplest way to run is with a tiny local web server.
### Option A: Python (recommended)
```bash
cd /path/to/defacemeter
python3 -m http.server 8000
```
Then open:
- http://localhost:8000
### Option B: Any static server
Serve the folder with any static server of your choice and open the served URL in your browser.
---
## How to use
1. Open the app in your browser.
2. Upload a vulnerability report JSON (or use the link to download `sample_report.json`).
3. (Optional) Adjust `C`, `E`, `H` weights and click **Normalize**.
4. Review the results:
- Gauge = aggregate likelihood percent
- Table = per-vulnerability `C`, `E`, `H`, and `Vi`
- Insights = short auto-generated guidance based on score and top contributors
---
## Output interpretation and limitations
- This is a *prototype scoring model*, not a guarantee or a forensic conclusion.
- The aggregate probability uses an **independence approximation**; in real environments, vulnerabilities and attacker behavior are often correlated.
- `Vi` values are heuristics derived from CVSS + exploit flags + dataset-local historical normalization; they are best used for **relative prioritization** within the same report.
---
## Customization
If you want to change the model, the core functions are in `app.js`:
- `computeC(cvss)`
- `computeE(exploit)`
- `computeH(count, maxCount)`
- `computeScores(data, overrideWeights)`
The UI uses the returned `contributions` list to render the table and generate top-contributor insights.