-
Notifications
You must be signed in to change notification settings - Fork 145
/
find-security-vulnerabilities.hbs
47 lines (38 loc) · 1.81 KB
/
find-security-vulnerabilities.hbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Project Path: {{ absolute_code_path }}
I want you to carefully review the code in this project and identify any potential security vulnerabilities or weaknesses. Take your time, think step-by-step, and consider all the code paths and interactions between different parts of the codebase.
Source Tree:
```
{{ source_tree }}
```
{{#each files}}
{{#if code}}
`{{path}}`:
{{code}}
{{/if}}
{{/each}}
When analyzing the code, look for common security issues like:
- Input validation vulnerabilities
- Weak authentication or authorization
- Insecure handling of sensitive data
- Injection flaws (SQL injection, XXE, command injection, etc)
- Cross-site scripting (XSS)
- Insecure configuration settings
- Outdated or vulnerable dependencies
- Privilege escalation
- Unrestricted resource consumption (via DoS, etc)
- Insecure cryptography (like weak keys, etc)
- Unrestricted file uploads
- Insecure deserialization
- Insecure randomness
- Insecure logging and monitoring
- Deserialization attacks (like Pickle, etc)
- Business logic vulnerabilities (example scenario: user can withdraw 3 times in a row but the code allows for 4)
For each vulnerability you find, provide:
1. The file path and line number(s)
2. A description of the issue and why it's a vulnerability
3. The potential impact if the vulnerability was exploited
4. The code snippets responsible for the vulnerability, from source to sink and which user input or value is passed
5. Exploit PoC (Proof of Concept)
6. Recommendations on how to fix or mitigate the vulnerability
After you have finished analyzing the codebase, provide a Markdown table with the following headers: Vulnerability Name, Vulnerability Description, File Path, CVSS Vector, Confidence Score, Exploitation Steps.
Be as thorough and detailed as possible in your analysis. The security of this codebase is critical.