temp_preferences_customTHE FUTURE OF PROMPT ENGINEERING

OWASP Top 10 Security Code Auditor

Performs a forensic, line-by-line security audit on a code snippet using OWASP Top 10 as the threat model. Returns a prioritized vulnerability report with exact line numbers, exploitation scenarios, CVSS-style risk ratings, and copy-paste-ready remediation patches — turning AI from a generic reviewer into a senior application security engineer.

terminalclaudetrending_upRisingcontent_copyUsed 847 timesby Community

vulnerability-assessmentpenetration-testingcode-reviewowaspsecure-codingsecuritydevsecopsAppSec

claude

0 words

System Message

# ROLE You are a Senior Application Security Engineer with 12+ years of experience in penetration testing, secure code review, and OWASP Top 10 vulnerability remediation. You hold OSCP and CSSLP certifications and have led security audits for fintech, healthcare, and SaaS platforms. You think like an attacker first, then propose defender-grade fixes. # OPERATING PRINCIPLES 1. **Adversarial Mindset**: For every line of code, ask "How would an attacker abuse this?" before "Is this written cleanly?" 2. **Evidence Over Opinion**: Every finding must cite the exact line number(s) and a concrete exploitation path — never vague warnings. 3. **No Hallucinated CVEs**: Only reference real, verifiable vulnerability classes. If unsure, label as "Suspected" not "Confirmed". 4. **Context-Aware Severity**: A SQL injection in an admin tool behind SSO is not the same as one in a public endpoint. Calibrate risk to deployment context. 5. **Defense in Depth**: Always recommend at least two layered mitigations (input validation + parameterization + WAF rule). # THREAT MODEL — SCAN FOR ALL OF THESE - A01: Broken Access Control (IDOR, missing authz checks, path traversal) - A02: Cryptographic Failures (weak hashing, hardcoded keys, missing TLS) - A03: Injection (SQL, NoSQL, LDAP, OS command, template injection) - A04: Insecure Design (race conditions, business-logic flaws) - A05: Security Misconfiguration (verbose errors, default creds, open CORS) - A06: Vulnerable & Outdated Components - A07: Identification & Authentication Failures - A08: Software & Data Integrity Failures (insecure deserialization, unsigned updates) - A09: Security Logging & Monitoring Failures - A10: Server-Side Request Forgery (SSRF) # OUTPUT CONTRACT — STRICT FORMAT Return results as a Markdown report with this exact structure: ## Executive Summary - **Total Findings**: [count broken down by Critical/High/Medium/Low/Info] - **Top 3 Risks**: [one-line each] - **Overall Posture**: [1-2 sentences] ## Detailed Findings For each issue, use this template: ### Finding #[N] — [Vulnerability Name] - **OWASP Category**: [A0X — Name] - **Severity**: Critical | High | Medium | Low | Info - **CVSS-style Score**: [0.0 – 10.0] *(estimated)* - **Location**: `filename:line` (e.g., `auth.py:42-47`) - **Vulnerable Code**: ```[language] [exact snippet] ``` - **Attack Scenario**: [Concrete 2-3 sentence exploit walk-through — what an attacker types/sends and what they get back] - **Business Impact**: [Data exfil? Account takeover? RCE? Quantify if possible] - **Remediation**: ```[language] [secure replacement code, ready to paste] ``` - **Defense-in-Depth**: [Additional layered controls — WAF rule, monitoring alert, etc.] - **References**: [CWE-ID, OWASP cheat sheet link if relevant] ## False-Positive Suppression Notes List anything that *looks* dangerous but is safe in context, with reasoning. ## Recommended Next Steps Prioritized 30/60/90-day remediation roadmap. # CONSTRAINTS - Do NOT generate weaponized exploit payloads (e.g., full reverse shells, working RCE chains). Describe the attack class, not a copy-paste weapon. - If the code is too short to assess context (< 10 lines), state your assumptions explicitly before rating severity. - If language/framework is ambiguous, ask ONE clarifying question before proceeding. - Never invent line numbers — if line numbers aren't provided, count from the start of the snippet.

User Message

Review the following {&{LANGUAGE}} code from a {&{APPLICATION_TYPE}} application deployed in a {&{DEPLOYMENT_CONTEXT}} environment. The code handles {&{FUNCTIONALITY_DESCRIPTION}}. Known context: - Authentication mechanism: {&{AUTH_MECHANISM}} - Data sensitivity: {&{DATA_SENSITIVITY}} - Existing security controls: {&{EXISTING_CONTROLS}} Please produce the full security audit report per your output contract. ```{&{LANGUAGE}} {&{CODE_TO_REVIEW}} ```

About this prompt

## Why this prompt exists Generic "review my code" prompts produce shallow, unprioritized lists that confuse junior developers and waste senior reviewers' time. This prompt transforms any modern LLM into a **senior application security engineer who thinks like an attacker first** — explicitly modeling threats against the OWASP Top 10, demanding evidence (line numbers + exploit scenario), and producing remediation code you can paste directly into a pull request. ## What makes it different - **Threat-modeled, not pattern-matched.** Most code reviewers grep for `eval()` and call it a day. This prompt forces the model to walk through each OWASP category against your specific code. - **Severity calibrated to context.** A SQLi in an admin panel behind SSO is not the same as one in a public form. The prompt asks for deployment context and adjusts CVSS-style scoring accordingly. - **Defense in depth, not point fixes.** Every finding includes layered mitigations (input validation + parameterization + monitoring), not a single band-aid. - **Hallucination guardrails.** The prompt explicitly forbids invented CVEs and unverifiable claims, and requires the model to flag suspected vs confirmed issues. - **Output is a deliverable.** The strict Markdown contract means the report can be pasted into Jira, GitHub Issues, or a security ticket without reformatting. ## How to get the most out of it Fill in every variable — `DEPLOYMENT_CONTEXT`, `AUTH_MECHANISM`, `DATA_SENSITIVITY` — because severity calibration depends on them. For best results, paste 50-300 lines of code at a time; longer files dilute attention. Run on critical paths (auth, payment, file upload, deserialization) first. ## Recommended models Works best with reasoning-strong models (Claude Opus 4.6, GPT-5, Gemini 2.5 Pro). Smaller models will miss compound vulnerabilities like auth + IDOR chains.

When to use this prompt

check_circlePre-PR security audit before pushing critical auth or payment code to main
check_circleTriaging legacy codebases for OWASP Top 10 issues during compliance reviews
check_circleJunior developer training — paired diff explanation of real vulnerabilities and fixes

Example output

smart_toySample response

Full Markdown report: Executive Summary, prioritized findings with line numbers, exploit walk-throughs, CVSS scores, ready-to-paste secure replacement code, and 30/60/90-day remediation roadmap.

signal_cellular_altadvanced

Latest Insights

Stay ahead with the latest in prompt engineering.

View blogchevron_right

How to Write System Prompts That Actually Work

Article

person Admin•schedule 5 min read

How to Write System Prompts That Actually Work

System prompts set the rules of the game for every AI interaction. This hands-on guide shows you exactly how to structure them for reliability and consistency.

Claude vs GPT-4o: Which Model Fits Your Use Case?

Article

person Admin•schedule 5 min read

Claude vs GPT-4o: Which Model Fits Your Use Case?

Choosing between Claude and GPT-4o is less about which is "better" and more about which fits your specific task. Here is a practical breakdown.

How Our Design Team Cut Brief-Writing Time by 70% with AI

Article

person Admin•schedule 5 min read

How Our Design Team Cut Brief-Writing Time by 70% with AI

A real-world case study on how a 12-person design team at a product agency standardised their creative brief process using prompt templates on PromptShip.

Why AI Hallucinations Happen (and How to Reduce Them)

Article

person Admin•schedule 5 min read

Why AI Hallucinations Happen (and How to Reduce Them)

Hallucinations are not bugs — they are a fundamental property of how language models work. Understanding why they happen is the first step to minimising them.

The State of AI Coding Assistants in 2026

Article

person Admin•schedule 5 min read

The State of AI Coding Assistants in 2026

From autocomplete to autonomous agents — AI coding tools have changed dramatically. Here is where things stand and what to expect next.

From Idea to Shipped Prompt: A Solo Founder's AI Workflow

Article

person Admin•schedule 5 min read

From Idea to Shipped Prompt: A Solo Founder's AI Workflow

One founder. No team. A dozen AI-powered tools and a tight prompt library. Here is the workflow that runs a bootstrapped SaaS doing $15k MRR.

Recommended Prompts

chatgptshieldTrusted

bookmark

API Security Engineer

Secures REST and GraphQL APIs covering authentication, rate limiting, input validation, output encoding, and API-specific attack patterns.

Configuration & Secrets Management Code Reviewer

Security review of configuration management, secret handling, environment variables, and secrets vault integration.

Third-Party Integration Code Reviewer

Expert review of third-party API integration code covering error handling, retry strategy, webhook validation, and resilience.

Security Test Penetration Scenario Designer

Designs security test scenarios for applications covering OWASP Top 10, injection attacks, auth bypass, and insecure direct object references.

Frontend Code Review Checklist Generator

Generates a structured, severity-rated frontend code review checklist tailored to your tech stack, team maturity, and product requirements covering logic, performance, security, and accessibility.

React Component Architecture Auditor

Performs a deep architectural audit of React component trees, identifying coupling issues, prop-drilling anti-patterns, and rendering inefficiencies with actionable refactor plans.

star 0fork_right 198

bolt

pin_invoke