20 of the best prompts for identifying security vulnerabilities in code, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
20 of the best prompts for identifying security vulnerabilities in code, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
Getting Identifying Security Vulnerabilities in Code right takes more than a single prompt. This 4-stage guide covers Diagnose the Wall, Isolate and Fix, Verify the Resolution, and more, breaking the whole process into focused steps where each prompt builds on the last. Generated code may introduce SQL injection, XSS, or path traversal vulnerabilities, which can compromise application security. If left unaddressed, these vulnerabilities can lead to data breaches and loss of user trust. By following this guide, developers can ensure their applications are secure and robust against common web vulnerabilities. Every prompt is optimized and runs in ChatGPT, Claude, and Gemini.
Check the output logs for any warnings or errors related to security vulnerabilities, especially during code generation. Focus on the generated SQL queries and user input handling.
Quote Generated SQL Queries
Please quote the exact SQL query generated in the last output. Identify any user inputs within the query that are not properly sanitized and highlight the specific line where the potential vulnerability may occur. Additionally, provide a brief explanation of why this represents a security risk and suggest how to properly sanitize the inputs to mitigate the vulnerability.
Paste Security Logs
Please analyze the following security logs from the last build output: [SECURITY LOGS]. Focus specifically on entries that indicate potential SQL injection or XSS vulnerabilities. For each identified entry, provide context around it, including the nature of the vulnerability, potential impact, and any recommendations for mitigation. Format your response as a detailed report with sections for each vulnerability identified.
Interpret Last Instruction
Please interpret the last instruction regarding security measures related to user inputs and database interactions. Explain your understanding of the security protocols that should be in place, including how you will validate and sanitize user inputs, and outline the steps you will take to ensure secure database interactions. Provide a detailed plan that includes potential vulnerabilities to watch for and the measures you will implement to mitigate these risks.
Expected vs. Actual Security Behavior
Please provide a detailed comparison of expected security behaviors versus the actual output in the context of security vulnerabilities. Specifically, outline how user inputs should be sanitized according to best practices, and then identify how the generated code deviates from these expectations. Format your response in a table with two columns: one for "Expected Security Behavior" and another for "Actual Output Deviation," and include examples where applicable.
Identify Violated Security Constraints
Please analyze the last output for security vulnerabilities and identify the specific security constraints that were violated. For each violation, quote the exact clause from the security guidelines that was not adhered to during the code generation process. Present your findings in a structured format, including the violation description and the corresponding guideline clause.
Target the specific sections of code that are introducing vulnerabilities, particularly around user input handling and database queries.
Sanitize User Inputs
Please review the function located at [FILE] on line [LINE] and implement input sanitization for user inputs. Ensure that all inputs are properly validated and escaped before they are used in SQL queries. After making the necessary changes, provide the modified code along with a brief explanation of the sanitization methods used and their importance in preventing security vulnerabilities.
Rewrite Vulnerable SQL Queries
Rewrite the SQL query located in [FILE] at line [LINE] to utilize parameterized statements instead of string concatenation. This change is crucial to prevent SQL injection vulnerabilities. Please present both the original query and the revised version side by side for comparison.
Scope Changes to Security Functions
Please modify the function located at [FILE]:[LINE] to implement strict validation rules for user inputs. Ensure that only the expected formats and types are permitted. After making the changes, provide the updated code for the function along with a brief explanation of the modifications made and the reasoning behind enforcing these validation rules.
Enforce Output Encoding
Please review the rendering function located at [FILE]:[LINE] and ensure that all output is properly encoded to prevent XSS attacks. Provide the updated code snippet that includes the necessary changes for secure output encoding. Additionally, explain why these changes are important for security.
Correct Path Traversal Logic
Review the file handling logic in [FILE] at line [LINE] to identify and correct any path traversal vulnerabilities. Explain how the current implementation allows for potential manipulation of file paths by user inputs. Provide the corrected code logic along with a brief explanation of how it mitigates the identified vulnerabilities.
Confirm that the security vulnerabilities have been addressed and that the application behaves as expected without introducing new issues.
Run Security Tests
Please run a security test on the application to verify that SQL injection and XSS vulnerabilities have been resolved. Include detailed test results, highlighting any remaining issues or vulnerabilities discovered during the testing process. Format the output as a summary report, including the specific tests conducted, their outcomes, and recommendations for any further actions needed.
Show Code Diff for Changes
Please provide the code diff for the changes made to [FILE] that address security vulnerabilities. Ensure to highlight any lines that were added or modified in the code. Additionally, include a brief explanation of the significance of these changes in relation to improving security.
Replay Vulnerable Scenario
Please replay the scenario that previously exposed vulnerabilities in the application. Confirm whether the application still exhibits the same security issues by providing a detailed analysis of the results. Include any discrepancies found, the steps taken during the replay, and a summary of the current security status in your report.
Check Edge Cases for Security
Please verify the resolution of security vulnerabilities by testing edge cases related to user inputs in the application. Identify any unexpected behaviors that may indicate potential security issues and document your findings in a report. Include specific examples of the edge cases tested, the results of each test, and recommendations for addressing any vulnerabilities discovered.
Confirm Output State
Please verify the security status of the output from [FILE]. Confirm whether it is now secure and does not expose any vulnerabilities. Include a detailed report of the output state, highlighting any potential issues that were identified and how they were resolved, along with recommendations for maintaining security moving forward.
Implement reusable artefacts that ensure security best practices are followed in future code generations.
Input Validation Constraint
Before generating code, validate all user inputs against a strict schema. If any input fails validation, stop and alert the developer before continuing. Never generate code without input validation.
Security Best Practices Template
Create a conversation-starter template that outlines essential security best practices. Include the following points: 'Always sanitize user inputs, use parameterized queries, and encode outputs.' Additionally, specify that if any of these practices are not followed, the system should stop and notify the developer. Format this as a checklist for easy reference, ensuring clarity and conciseness in each item.
Security Review Message
Draft a project specification message that mandates security reviews for all code before deployment. The message should clearly state: "All code must undergo a security review before deployment. This review must include checks for SQL injection, XSS, and path traversal vulnerabilities." Ensure the message is concise and emphasizes the importance of security in the development process.
Naming Convention for Secure Functions
Establish a naming convention for functions that handle user inputs to enhance security. All functions that process user inputs must start with 'SECURE_' to indicate they include validation and sanitization. Please provide a detailed guideline on how to implement this naming convention, including examples of function names that adhere to this standard and any additional best practices for secure coding.
Self-Check for Security Compliance
Create a self-check request for the agent to run before code generation. The request should ensure that all security constraints are met. If any constraints are violated, the agent should stop the process and report the specific issues found. Format the self-check request as follows: 'Before code generation, check that all security constraints are met. If any constraints are violated, stop and report the issue.'
Ensure that all SQL queries use parameterized statements. Bolt's code generation may not automatically enforce this, so you must explicitly define this in your database interaction functions.
Always encode output when rendering user inputs in your Bolt app. If the generated code does not include output encoding, it can lead to XSS vulnerabilities.
Bolt may not enforce strict input validation by default, which can lead to vulnerabilities. You should implement validation checks explicitly in your code to ensure security.
Common pitfalls include failing to sanitize user inputs and not using secure coding practices. Bolt's sandboxed environment may not catch these issues unless explicitly addressed.
Run security tests and code reviews before deployment. Bolt does not automatically check for vulnerabilities, so it's crucial to implement these checks manually.
AI Prompts for Preventing Security Vulnerabilities in Code
The generated code is introducing SQL injection, XSS, or path traversal vulnerabilities, which can compromise application security.
See promptsAI Prompts for Eliminating Security Vulnerabilities in Code
Cursor-generated code can introduce SQL injection, XSS, or path traversal vulnerabilities, which compromise application security.
See promptsAI Prompts for Preventing Security Vulnerabilities in Code
Windsurf sometimes introduces SQL injection, XSS, or path traversal vulnerabilities in generated code, which can lead to severe security breaches.
See prompts