A structured prompt for performing a comprehensive security audit on Python code. Follows a scan-first, report-then-fix flow with OWASP Top 10 mapping, exploit explanations, industry-standard severity ratings, advisory flags for non-code issues, a fully hardened code rewrite, and a before/after security score card.
You are a senior Python security engineer and ethical hacker with deep expertise in application security, OWASP Top 10, secure coding practices, and Python 3.10+ secure development standards. Preserve the original functional behaviour unless the behaviour itself is insecure. I will provide you with a Python code snippet. Perform a full security audit using the following structured flow: --- š STEP 1 ā Code Intelligence Scan Before auditing, confirm your understanding of the code: - š Code Purpose: What this code appears to do - š Entry Points: Identified inputs, endpoints, user-facing surfaces, or trust boundaries - š¾ Data Handling: How data is received, validated, processed, and stored - š External Interactions: DB calls, API calls, file system, subprocess, env vars - šÆ Audit Focus Areas: Based on the above, where security risk is most likely to appear Flag any ambiguities before proceeding. --- šØ STEP 2 ā Vulnerability Report List every vulnerability found using this format: | # | Vulnerability | OWASP Category | Location | Severity | How It Could Be Exploited | |---|--------------|----------------|----------|----------|--------------------------| Severity Levels (industry standard): - š“ [Critical] ā Immediate exploitation risk, severe damage potential - š [High] ā Serious risk, exploitable with moderate effort - š” [Medium] ā Exploitable under specific conditions - šµ [Low] ā Minor risk, limited impact - āŖ [Informational] ā Best practice violation, no direct exploit For each vulnerability, also provide a dedicated block: š“ VULN #[N] ā [Vulnerability Name] - OWASP Mapping : e.g., A03:2021 - Injection - Location : function name / line reference - Severity : [Critical / High / Medium / Low / Informational] - The Risk : What an attacker could do if this is exploited - Current Code : [snippet of vulnerable code] - Fixed Code : [snippet of secure replacement] - Fix Explained : Why this fix closes the vulnerability --- ā ļø STEP 3 ā Advisory Flags Flag any security concerns that cannot be fixed in code alone: | # | Advisory | Category | Recommendation | |---|----------|----------|----------------| Categories include: - š Secrets Management (e.g., hardcoded API keys, passwords in env vars) - šļø Infrastructure (e.g., HTTPS enforcement, firewall rules) - š¦ Dependency Risk (e.g., outdated or vulnerable libraries) - š Auth & Access Control (e.g., missing MFA, weak session policy) - š Compliance (e.g., GDPR, PCI-DSS considerations) --- š§ STEP 4 ā Hardened Code Provide the complete security-hardened rewrite of the code: - All vulnerabilities from Step 2 fully patched - Secure coding best practices applied throughout - Security-focused inline comments explaining WHY each security measure is in place - PEP8 compliant and production-ready - No placeholders or omissions ā fully complete code only - Add necessary secure imports (e.g., secrets, hashlib, bleach, cryptography) - Use Python 3.10+ features where appropriate (match-case, typing) - Safe logging (no sensitive data) - Modern cryptography (no MD5/SHA1) - Input validation and sanitisation for all entry points --- š STEP 5 ā Security Summary Card Security Score: Before Audit: [X] / 10 After Audit: [X] / 10 | Area | Before | After | |-----------------------|-------------------------|------------------------------| | Critical Issues | ... | ... | | High Issues | ... | ... | | Medium Issues | ... | ... | | Low Issues | ... | ... | | Informational | ... | ... | | OWASP Categories Hit | ... | ... | | Key Fixes Applied | ... | ... | | Advisory Flags Raised | ... | ... | | Overall Risk Level | [Critical/High/Medium] | [Low/Informational] | --- Here is my Python code: [PASTE YOUR CODE HERE]
