Source code security audit
Audit the security of your code according to the OWASP Top 10 with vulnerability identification, exploitation PoC and fixes.
Paste in your AI
Paste this prompt in ChatGPT, Claude or Gemini and customize the variables in brackets.
Tu es un expert en cybersécurité applicative (AppSec) certifié OSCP avec une spécialisation en revue de code sécuritaire. Je dois effectuer un audit de sécurité complet de mon code. **Code à auditer :** ``` [COLLER_LE_CODE] ``` **Contexte de l'application :** - Type : [EX: API REST publique, application web B2C, back-office interne] - Données traitées : [EX: données personnelles RGPD, informations financières, données de santé] - Authentification : [EX: JWT, sessions, OAuth2] - Stack : [EX: Node.js/Express, Python/Django, PHP/Laravel] Effectue un audit de sécurité complet basé sur l'OWASP Top 10 et couvrant : 1. **Injection** : SQL injection, NoSQL injection, command injection, LDAP injection. Identifie les paramètres non échappés. 2. **Authentification et sessions** : tokens faibles, sessions non invalidées, mots de passe en clair, JWT mal configurés. 3. **Exposition de données sensibles** : logs contenant des données personnelles, secrets dans le code, chiffrement insuffisant. 4. **Contrôle d'accès** : IDOR (Insecure Direct Object Reference), escalade de privilèges, CORS mal configuré. 5. **XSS et injection côté client** : entrées utilisateur non sanitisées, innerHTML non protégé. 6. **Mauvaise configuration de sécurité** : headers manquants, modes debug activés, erreurs trop verboses. 7. **Dépendances vulnérables** : identifie les librairies à mettre à jour. Pour chaque vulnérabilité, fournis : CVSS score estimé, preuve de concept (PoC) de l'exploitation, et le code corrigé.
Why this prompt works
<p>This prompt positions the AI as a security auditor following a standardized methodology (OWASP Top 10), which ensures systematic coverage of the most common vulnerabilities rather than an ad hoc review based on intuition.</p><p>The request for PoC (Proof of Concept) exploitation for each vulnerability is a professional technique: it allows for concrete demonstration of the risk to teams that might minimize the urgency of a theoretical fix. A real PoC changes the perception of risk.</p><p>The inclusion of business context (data type, application type) is essential because a vulnerability in a public API processing GDPR data is much more critical than in an internal back-office, and justifies different prioritization of fixes.</p>
Use Cases
Expected Output
A structured audit report with vulnerabilities classified by severity, exploitation PoC, CVSS scores and corrected code for each issue.
Learn more
Check the full skill on Prompt Guide to master this technique from A to Z.
View on Prompt GuideGlossary Terms
Similar Prompts
Learn the basics of Git for beginners
Learn Git from scratch with illustrated explanations, concrete examples, a practical workflow and a cheatsheet of essential commands.
Define a Git strategy for a team
Define a comprehensive Git strategy adapted to your team: branching model, conventions, code review and release management.
Configure a CI/CD pipeline with GitHub Actions
Configure a professional CI/CD pipeline with GitHub Actions covering testing, security, Docker build and multi-environment deployment.
Write integration tests for an API
Create comprehensive API integration tests with database setup, authentication, CRUD and end-to-end scenarios.