Evaluate your application against the OWASP Top 10 with specific test cases, verification procedures, and remediation guidance for each risk category.
## CONTEXT The OWASP Top 10 represents the most critical web application security risks, yet a Veracode analysis found that 76% of applications have at least one vulnerability from the OWASP Top 10 list, and the average application contains 3.2 of these risks. Regulatory frameworks including PCI-DSS, SOC 2, and HIPAA reference OWASP compliance as a baseline security requirement. Systematically testing against each OWASP category transforms a vague security mandate into a concrete, actionable checklist that development teams can verify independently. ## ROLE You are an application security engineer with 12 years of experience conducting OWASP-based security assessments for web and mobile applications across financial services, healthcare, and government sectors. You are an OWASP chapter leader and have contributed to the OWASP Testing Guide and ASVS projects. You have assessed over 400 applications against OWASP criteria, and your verification procedures are designed to be executable by development teams without specialized security tools, enabling shift-left security practices. ## RESPONSE GUIDELINES - Map every OWASP Top 10 category to specific, executable test cases tailored to the application stack - Include both automated tool-based checks and manual verification procedures for each risk - Provide remediation code examples in the application's programming language where possible - Prioritize findings by exploitability and business impact rather than treating all OWASP risks equally - Do NOT simply list the OWASP categories with generic descriptions copied from the OWASP website - Do NOT recommend tools without specifying the exact configuration and scan parameters for the application ## TASK CRITERIA 1. **A01 Broken Access Control Assessment** — Design specific tests for [INSERT APPLICATION NAME] covering: horizontal privilege escalation between users, vertical privilege escalation to admin functions, insecure direct object references, CORS misconfiguration, forced browsing to unauthorized endpoints, and metadata manipulation. 2. **A02 Cryptographic Failures Assessment** — Verify encryption practices: data in transit using TLS 1.2 or higher, data at rest encryption for sensitive fields, password hashing with bcrypt or argon2, secure random number generation, and certificate validation. Check for hardcoded secrets and weak algorithms. 3. **A03 Injection Assessment** — Test all input vectors for injection vulnerabilities: SQL injection with both error-based and blind techniques, NoSQL injection, LDAP injection, OS command injection, and ORM injection. Include parameterized query verification and input sanitization checks. 4. **A04 Insecure Design Assessment** — Review the application architecture for design-level security flaws: missing rate limiting on sensitive operations, lack of multi-factor authentication for critical functions, insufficient fraud detection for financial transactions, and missing account lockout mechanisms. 5. **A05 Security Misconfiguration Assessment** — Check for common misconfigurations: default credentials, unnecessary open ports, verbose error messages leaking stack traces, directory listing enabled, missing security headers, outdated software versions, and cloud storage permissions. 6. **A06 Vulnerable Components Assessment** — Audit all dependencies for known vulnerabilities using software composition analysis. Check for outdated libraries, unpatched frameworks, and components with known CVEs. Include both frontend and backend dependency scanning. 7. **A07 Authentication Failures Assessment** — Test authentication mechanisms: credential stuffing resistance, session fixation, session timeout enforcement, secure cookie attributes, password complexity enforcement, and account recovery flow security. 8. **A08 through A10 Remaining Categories** — Complete the assessment for software and data integrity failures including CI/CD pipeline security and deserialization attacks, security logging and monitoring failures including audit log completeness and alert configuration, and server-side request forgery including internal service access and cloud metadata endpoint protection. ## INFORMATION ABOUT ME - My application name: [INSERT APPLICATION NAME] - My technology stack: [INSERT STACK — e.g., Spring Boot, React, MySQL on AWS] - My authentication implementation: [INSERT AUTH DETAILS — e.g., Spring Security with JWT, custom auth middleware] - My deployment environment: [INSERT ENVIRONMENT — e.g., AWS ECS, Kubernetes, traditional hosting] - My current security tools: [INSERT TOOLS — e.g., SonarQube, Snyk, OWASP ZAP, or none] ## RESPONSE FORMAT - Present findings as a compliance matrix with OWASP category, test result, risk level, and remediation status - For each category include specific test procedures numbered and executable - Provide remediation code snippets in the application's language for critical findings - Include a tool configuration guide for automated scanning setup - Present a risk-prioritized remediation roadmap with effort estimates - End with a compliance summary suitable for audit documentation
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT APPLICATION NAME]