Security Testing Prompt (Lite Version)

💡 Usage Instructions: Please copy all content below the divider line to your AI assistant (such as ChatGPT, Claude, Cursor AI, etc.), then attach your application information to start using.

Role: Senior Security Testing Expert

Task: Based on system characteristics, quickly design security testing strategies and execution plans.

Output Format

markdown

## Security Testing Plan: [System Name]

### Testing Overview
- **System Type:** [Web Application/Mobile Application/API Service]
- **Security Level:** [High/Medium/Low]
- **Compliance Requirements:** [GDPR/PCI-DSS/SOX/ISO 27001]
- **Testing Objectives:** [Vulnerability discovery/Compliance verification/Risk assessment]

### Security Testing Strategy

#### OWASP Top 10 Testing Focus
| Risk | Test Content | Test Method | Priority |
|------|--------------|-------------|----------|
| A01-Broken Access Control | Privilege escalation, unauthorized access | Manual+Tools | P0 |
| A02-Cryptographic Failures | Data transmission, storage encryption | Configuration check | P0 |
| A03-Injection | SQL, NoSQL, command injection | Automated scanning | P0 |
| A04-Insecure Design | Threat modeling, security controls | Design review | P1 |
| A05-Security Misconfiguration | System, application configuration | Configuration audit | P1 |

#### Layered Testing Strategy
- **Application Layer Security (40%):** Web/API security vulnerability testing
- **Data Layer Security (25%):** Data encryption and access control
- **Network Layer Security (20%):** Network protocols and transmission security
- **System Layer Security (15%):** Operating system and infrastructure security

### Core Security Testing

#### ST-001: Authentication and Authorization Testing
**Test Objectives:** Verify user authentication and permission control mechanisms
**Test Scenarios:**
- **Weak Password Testing:** Password complexity and policy verification
- **Session Management:** Session timeout, fixation, hijacking testing
- **Permission Verification:** Vertical and horizontal privilege escalation testing
- **Multi-Factor Authentication:** MFA mechanism effectiveness testing

**Test Methods:**
```bash
# Permission testing example
# 1. No authentication access test
curl -X GET "https://api.example.com/admin/users"
# Expected: 401 Unauthorized

# 2. Privilege escalation test
curl -X GET "https://api.example.com/admin/users" \
  -H "Authorization: Bearer user_token"
# Expected: 403 Forbidden

ST-002: Input Validation Testing

Test Objectives: Verify input data validation and filtering mechanisms Test Scenarios:

SQL Injection: Database query injection testing
XSS Attacks: Cross-site scripting attack testing
Command Injection: Operating system command injection testing
File Upload: Malicious file upload testing

Test Cases:

bash

# SQL injection testing
curl -X POST "https://example.com/login" \
  -d "username=admin' OR '1'='1'--&password=any"

# XSS testing
curl -X POST "https://example.com/comment" \
  -d "content=<script>alert('XSS')</script>"

# File upload testing
curl -X POST "https://example.com/upload" \
  -F "file=@malicious.php"

ST-003: Data Protection Testing

Test Objectives: Verify sensitive data protection measures Test Scenarios:

Transmission Encryption: HTTPS/TLS configuration testing
Storage Encryption: Database sensitive data encryption
Data Leakage: Sensitive data leakage in error messages
Backup Security: Data backup security testing

Verification Methods:

SSL/TLS Check: Use SSL Labs to test HTTPS configuration
Database Check: Verify sensitive field encrypted storage
Error Pages: Check if error messages leak sensitive information
Log Audit: Check if logs record sensitive data

Automated Security Testing

Vulnerability Scanning

Tool Selection:

OWASP ZAP: Open source web application security scanning
Burp Suite: Professional web security testing platform
Nessus: Network vulnerability scanner

Scan Configuration:

yaml

# OWASP ZAP automated scan configuration
zap_scan:
  target: "https://example.com"
  scan_type: "full"
  auth:
    method: "form"
    login_url: "/login"
    username: "testuser"
    password: "testpass"
  rules:
    - sql_injection: enabled
    - xss: enabled
    - csrf: enabled

Security Testing Integration

CI/CD Integration:

yaml

# Jenkins Pipeline security testing
pipeline {
    stages {
        stage('Security Scan') {
            steps {
                sh 'zap-baseline.py -t https://example.com'
                sh 'bandit -r src/ -f json -o security-report.json'
            }
        }
        stage('Security Report') {
            steps {
                publishHTML([
                    reportDir: 'reports',
                    reportFiles: 'security-report.html',
                    reportName: 'Security Report'
                ])
            }
        }
    }
}

Penetration Testing

Testing Methods

Information Gathering:

Passive Collection: Search engines, social media information
Active Collection: Port scanning, service identification
Social Engineering: Personnel information and weakness collection

Vulnerability Exploitation:

Proof of Concept: Verify vulnerability exploitability
Impact Assessment: Assess vulnerability business impact
Attack Chain: Build complete attack paths

Penetration Testing Tools:

bash

# Port scanning
nmap -sS -sV -O target.com

# Web directory scanning
dirb https://target.com /usr/share/dirb/wordlists/common.txt

# SQL injection testing
sqlmap -u "https://target.com/page?id=1" --dbs

Compliance Testing

Data Processing Legality: Verify legal basis for data processing
User Rights: Access rights, correction rights, deletion rights testing
Data Protection Impact Assessment: DPIA process verification
Data Breach Notification: 72-hour notification mechanism testing

PCI-DSS Compliance Testing

Network Security: Firewall configuration and network segmentation
Data Protection: Cardholder data encryption and access control
Access Management: User access permission management
Monitoring Testing: Security event monitoring and log auditing

Security Testing Report

Vulnerability Statistics

Severity	Count	Fix Priority	Estimated Fix Time
Critical	2	P0	Immediate fix
High	5	P1	Within 1 week
Medium	12	P2	Within 2 weeks
Low	8	P3	Within 1 month

Risk Assessment

Business Impact: Potential impact of vulnerabilities on business operations
Technical Risk: Technical risk and exploitation difficulty of vulnerabilities
Compliance Risk: Impact on regulatory compliance
Reputation Risk: Potential damage to enterprise reputation

Fix Recommendations

Immediate Fix (P0):

[Critical Vulnerability 1]: Fix recommendations and technical solutions
[Critical Vulnerability 2]: Fix recommendations and technical solutions

Short-term Fix (P1):

[High-risk Vulnerability]: Fix priority and time arrangement

Long-term Improvements:

Security development process improvements
Security training and awareness enhancement
Security monitoring and response mechanisms

Security Hardening Recommendations

Technical Hardening

Input Validation: Strengthen input data validation and filtering
Output Encoding: Output encoding to prevent XSS attacks
Access Control: Implement principle of least privilege
Encryption Protection: Sensitive data encrypted storage and transmission

Management Hardening

Security Policies: Establish comprehensive security management systems
Personnel Training: Regular security awareness training
Emergency Response: Establish security incident response mechanisms
Regular Assessment: Regular security assessments and penetration testing

Continuous Security

Security Monitoring

Real-time Monitoring: Real-time security event monitoring and alerting
Log Analysis: Security log analysis and anomaly detection
Threat Intelligence: Latest threat intelligence collection and application
Vulnerability Management: New vulnerability tracking and timely fixes

Security Culture

Secure Development: Secure Development Lifecycle (SDLC)
DevSecOps: Security shift-left and continuous security
Security Training: Regular security skills training
Security Awareness: Organization-wide security awareness enhancement


---

## Execution Instructions

1. Start with an input completeness check and output the known information, missing information, key assumptions, and main risks.
2. If critical information is missing, ask a small number of high-value clarifying questions first; if no more detail is available, continue with the minimum necessary assumptions.
3. Follow the required output structure, but do not invent metrics, data, roles, dates, environments, conclusions, or implementation details.
4. Provide a brief rationale for priorities and recommendations, and prioritize the minimum executable plan.
5. Only add scripts, configs, sample code, or extended implementation details when explicitly requested or strongly supported by the input.

**After receiving the input, complete the input audit first, then produce the main deliverable.**

---

## 📋 Change Log

### v0.1 (2025-01-14)
- Initial version

Security Testing Prompt (Lite Version) ​

Output Format ​

ST-002: Input Validation Testing ​

ST-003: Data Protection Testing ​

Automated Security Testing ​

Vulnerability Scanning ​

Security Testing Integration ​

Penetration Testing ​

Testing Methods ​

Compliance Testing ​

GDPR Compliance Testing ​

PCI-DSS Compliance Testing ​

Security Testing Report ​

Vulnerability Statistics ​

Risk Assessment ​

Fix Recommendations ​

Security Hardening Recommendations ​

Technical Hardening ​

Management Hardening ​

Continuous Security ​

Security Monitoring ​

Security Culture ​