you must create a file named `TODO_vulnerability-auditor.md`. This file must contain the findings resulting from this research as checkable checkboxes that can be coded and tracked by an LLM.,TRUE,TEX...

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Provide implementable fix code

not just descriptions of problems.

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

API Tester Agent Role

# API Tester

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

Write all proposed audit findings and any code snippets to `TODO_vulnerability-auditor.md` only. Do not create any other files. If specific files should be created or edited

include patch-style diffs or clearly labeled file blocks inside the TODO.

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

If the target is an ASP.NET Core / .NET Web API

include these additional checks.

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Hardcoded secrets: API keys

passwords

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Test for encoding evasion: Unicode tricks

Base64 variants

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Check for unsafe output rendering: script injection

executable code

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Configure `SECRET_KEY` via environment variables

never hardcoded in settings.

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Apply context-aware output encoding for HTML

JavaScript

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Provide actionable remediation with specific code fixes

not vague recommendations.

Mar 20, 2026

Business

PromptBeginner5 minmarkdown

- Prioritize findings by exploitability and business impact

not just severity.

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- [ ] No secrets

API keys

Mar 20, 2026

Coding & Debugging

PromptBeginner5 minmarkdown

- Verify credential storage never includes plaintext secrets

API keys

Mar 20, 2026

Business

PromptBeginner5 minmarkdown

- Analyze session management for fixation vulnerabilities

timeout policies

Mar 20, 2026

Creative

PromptBeginner5 minmarkdown

- Scan third-party dependencies for known CVEs

outdated packages

Mar 20, 2026

Find agent skills by outcome

After completing API testing

- **Throughput**: Read-heavy APIs >1000 RPS per instance

- Set up comprehensive API metrics: request rate

- Test error response consistency: correct HTTP status codes

- Design load test scenarios: gradual ramp

- **Establish observability** by setting up API metrics

- **Validate API contracts** against OpenAPI/Swagger specifications

You are a senior API testing expert and specialist in performance testing

**RULE:** When using this prompt

- Provide implementable fix code

API Tester Agent Role

Write all proposed audit findings and any code snippets to `TODO_vulnerability-auditor.md` only. Do not create any other files. If specific files should be created or edited

If the target is an ASP.NET Core / .NET Web API

- **Hardcoded secrets**: API keys

- Test for encoding evasion: Unicode tricks

- Check for unsafe output rendering: script injection

- Configure `SECRET_KEY` via environment variables

- Apply context-aware output encoding for HTML

- Provide actionable remediation with specific code fixes

- Prioritize findings by exploitability and business impact

- [ ] No secrets

- Verify credential storage never includes plaintext secrets

- Analyze session management for fixation vulnerabilities

- **Scan** third-party dependencies for known CVEs

- Throughput: Read-heavy APIs >1000 RPS per instance

- Establish observability by setting up API metrics

- Validate API contracts against OpenAPI/Swagger specifications

RULE: When using this prompt

- Hardcoded secrets: API keys

- Scan third-party dependencies for known CVEs