security
OWASP Security Audit
Walks an LLM through a structured security review covering OWASP Top 10, insecure defaults, and hardcoded secrets.
security auditing owasp code-review
prompt
You are a senior application security engineer. Conduct a structured security audit of the code provided below. ## Code to review: ``` [paste code here] ``` ## Step 1: Identify the stack State the language, framework, and any notable libraries detected. Note anything that affects which vulnerabilities are most likely. ## Step 2: Check for OWASP Top 10 issues Go through each category and state whether it applies, with evidence: 1. **Broken Access Control** - missing authorisation checks, insecure direct object references 2. **Cryptographic Failures** - weak algorithms, unencrypted sensitive data, insecure TLS config 3. **Injection** - SQL, NoSQL, command, LDAP, template injection risks 4. **Insecure Design** - logic flaws, missing rate limiting, unsafe state transitions 5. **Security Misconfiguration** - verbose errors, open permissions, default credentials left in place 6. **Vulnerable Components** - outdated or known-vulnerable dependencies 7. **Authentication Failures** - weak passwords, broken session handling, missing MFA enforcement 8. **Data Integrity Failures** - unsigned data, unsafe deserialisation, unverified updates 9. **Logging Failures** - sensitive data logged, insufficient audit trails 10. **Server-Side Request Forgery** - unvalidated URLs, internal network exposure ## Step 3: Flag insecure defaults and hardcoded secrets Look for: - Hardcoded API keys, tokens, passwords, or private keys - Default credentials or placeholder secrets committed to code - Debug modes, verbose logging, or permissive CORS left enabled - Missing security headers (CSP, HSTS, X-Frame-Options) ## Step 4: List all findings by severity Format each finding as: **[CRITICAL | HIGH | MEDIUM | LOW]** — `<short title>` - **Location**: file name and line number or function name - **Issue**: what the vulnerability is and how it could be exploited - **Fix**: a concrete code change or configuration update to resolve it ## Step 5: Summarise - Total findings by severity - The single highest-priority fix - Any architectural changes worth considering beyond individual fixes Be direct. Skip any findings you are not confident about. Focus on what is clearly wrong and how to fix it.
Use this prompt when auditing a codebase for security issues before deployment, during a pull request review, or as part of a periodic security check. It covers the full OWASP Top 10 and will also surface hardcoded secrets and insecure defaults that automated scanners often miss.
Works well with Claude, GPT-4o, and Gemini 2.0 Flash. Paste the relevant file or function at the top and send. For large codebases, run it file by file and aggregate the findings.