跳转至

安全提示指南:创建用于安全测试的有效提示 (Prompts)

概述

本指南提供了在使用 AI 进行渗透测试 (penetration testing) 和安全分析时制作有效提示的最佳实践。良好的提示可以带来更准确、更详细和更具可操作性的安全评估。

核心提示工程 (Prompt Engineering) 原则

1. 角色分配

在提示的开头为 AI 分配一个特定的安全专家角色:

You are an experienced penetration tester and security analyst with expertise in web application security, network security, and vulnerability assessment.

2. 明确的任务定义

具体说明您希望 AI 分析或完成的内容:

好 (Good): 

Analyze this web application for SQL injection vulnerabilities in the login form, focusing on input validation and parameterized queries.

差 (Poor): 

Check this app for security issues.

3. 使用 XML 标签进行结构化输入

使用 XML 标签来组织提示的不同组件:

<target>
Application: E-commerce website
URL: https://example-shop.com
Technology: PHP/MySQL
</target>

<scope>
- Authentication mechanisms
- Payment processing
- User data handling
</scope>

<constraints>
- Read-only testing only
- No destructive actions
- Focus on OWASP Top 10
</constraints>

4. 思维链 (Chain of Thought) 推理

要求 AI 解释其推理过程,从而鼓励循序渐进的分析:

Analyze the following code for security vulnerabilities. For each potential issue:
1. Identify the vulnerability type
2. Explain the potential impact
3. Provide a specific remediation recommendation
4. Rate the severity (Critical/High/Medium/Low)

特定于安全的提示模板

漏洞评估模板

You are a senior security consultant performing a comprehensive security assessment.

<target_info>
Application: {{APPLICATION_NAME}}
Technology Stack: {{TECH_STACK}}
Environment: {{ENVIRONMENT}}
</target_info>

<assessment_scope>
{{SCOPE_DETAILS}}
</assessment_scope>

Please analyze the provided information and:
1. Identify potential security vulnerabilities
2. Categorize findings by OWASP Top 10 classification
3. Provide proof-of-concept examples where applicable
4. Suggest specific remediation steps
5. Prioritize findings by risk level

<constraints>
- Follow responsible disclosure principles
- Focus on defensive recommendations
- Provide actionable remediation guidance
</constraints>

Web 应用程序安全评估模板

You are a web application security expert conducting a comprehensive security assessment.

<web_app_info>
Application: {{APPLICATION_NAME}}
URL: {{BASE_URL}}
Technology Stack: {{TECH_STACK}}
Authentication: {{AUTH_METHOD}}
</web_app_info>

<application_scope>
{{PAGES_AND_FUNCTIONALITY}}
</application_scope>

<analysis_focus>
{{SPECIFIC_CONCERNS}}
</analysis_focus>

Analyze the web application and provide:
1. OWASP Top 10 vulnerability assessment
2. Authentication and session management analysis
3. Input validation and output encoding review
4. Business logic flaw identification
5. Client-side security assessment
6. Detailed remediation recommendations with code examples

移动应用程序安全评估模板

You are a mobile security specialist analyzing mobile application security.

<mobile_app_info>
Platform: {{PLATFORM}} (iOS/Android)
Application: {{APP_NAME}}
Version: {{APP_VERSION}}
Architecture: {{ARCHITECTURE}}
</mobile_app_info>

<app_components>
Binary: {{BINARY_INFO}}
Manifest/Info.plist: {{MANIFEST_DATA}}
Network Communications: {{NETWORK_TRAFFIC}}
</app_components>

<analysis_focus>
{{SPECIFIC_CONCERNS}}
</analysis_focus>

Perform mobile security analysis focusing on:
1. Platform-specific security controls (iOS/Android)
2. Data storage security (keychain, shared preferences)
3. Network communication security (certificate pinning, encryption)
4. Authentication and authorization mechanisms
5. Runtime protection and anti-tampering measures
6. Privacy and permission model compliance
7. OWASP Mobile Top 10 assessment

API 安全评估模板

You are an API security expert specializing in REST, GraphQL, and other API technologies.

<api_details>
API Type: {{API_TYPE}}
Base URL: {{API_BASE_URL}}
Authentication: {{AUTH_METHOD}}
Documentation: {{API_DOCS_URL}}
Technology: {{FRAMEWORK}}
</api_details>

<endpoints>
{{ENDPOINT_LIST}}
</endpoints>

<sample_requests>
{{REQUEST_EXAMPLES}}
</sample_requests>

Conduct comprehensive API security assessment covering:
1. Authentication and authorization vulnerabilities
2. Input validation and injection attacks
3. Rate limiting and DoS protection
4. Data exposure and information leakage
5. Business logic vulnerabilities
6. API versioning and deprecation security
7. CORS and cross-origin security policies
8. Provide specific test cases and curl commands for validation

AI 渗透测试提示的最佳实践

应该做的 (Do's)

  • 具体: 包含确切的版本、配置和参数
  • 提供上下文: 解释系统的业务目的和关键性
  • 设置边界: 明确定义测试范围 (in scope) 和范围外 (out of scope)
  • 要求证据: 要求提供具体的示例和概念验证 (PoC) 代码
  • 寻求优先级: 要求基于风险对发现进行排序

不该做的 (Don'ts)

  • 避免模糊的请求: 不要要求通用的“安全检查” (security checks)
  • 不要跳过上下文: 始终提供相关的系统信息
  • 避免是/否问题: 要求进行详细分析
  • 不要忽视合规性: 在提示中考虑监管要求

示例提示场景

场景 1:通用安全测试

You are a security consultant performing a general security assessment.

<target>
Application: {{APPLICATION_NAME}}
Type: {{APPLICATION_TYPE}} (Web/Mobile/API/Desktop)
Technology Stack: {{TECH_STACK}}
Environment: {{ENVIRONMENT}}
</target>

<scope>
{{TESTING_SCOPE}}
</scope>

<constraints>
- Time limit: {{TIME_CONSTRAINT}}
- Access level: {{ACCESS_LEVEL}}
- Compliance requirements: {{COMPLIANCE}}
</constraints>

Conduct a comprehensive security evaluation covering:
1. Common vulnerability patterns for this technology stack
2. Configuration and deployment security
3. Authentication and access control mechanisms
4. Data protection and privacy considerations
5. Security monitoring and logging capabilities

Provide a prioritized list of findings with risk ratings and remediation timelines.

场景 2:带有文档的特定功能测试

You are a security expert testing a specific application feature.

<feature_details>
Feature: {{FEATURE_NAME}}
Functionality: {{FEATURE_DESCRIPTION}}
User Roles: {{USER_ROLES}}
Data Handled: {{DATA_TYPES}}
</feature_details>

<documentation>
Official Documentation: {{DOC_LINKS}}
API Specification: {{API_SPEC}}
Security Guidelines: {{SECURITY_DOCS}}
</documentation>

<test_parameters>
{{SPECIFIC_PARAMETERS}}
</test_parameters>

Focus your security analysis on:
1. Feature-specific vulnerabilities and edge cases
2. Compliance with documented security requirements
3. Proper implementation of security controls per documentation
4. Data flow security throughout the feature lifecycle
5. Integration security with other system components

Cross-reference findings with official documentation and provide specific sections that address or contradict your discoveries.

场景 3:漏洞复测和漏洞赏金报告验证

You are a senior security analyst validating and retesting reported vulnerabilities.

<original_report>
Vulnerability Type: {{VULN_TYPE}}
Severity: {{REPORTED_SEVERITY}}
Reporter: {{REPORTER_INFO}}
Discovery Date: {{DISCOVERY_DATE}}
</original_report>

<vulnerability_details>
{{VULNERABILITY_DESCRIPTION}}
</vulnerability_details>

<proof_of_concept>
{{POC_STEPS}}
</proof_of_concept>

<remediation_claims>
{{CLAIMED_FIXES}}
</remediation_claims>

Perform thorough validation by:
1. Reproducing the original vulnerability using provided PoC
2. Testing variations and edge cases of the reported issue
3. Validating effectiveness of implemented remediation measures
4. Assessing potential bypass techniques for the fix
5. Confirming the actual risk level and business impact
6. Documenting any residual risks or incomplete fixes

Provide a detailed retest report with:
- Vulnerability status (Confirmed/Fixed/Partially Fixed/False Positive)
- Evidence of testing performed
- Risk assessment validation
- Recommendations for additional security measures

提示细化技巧

  1. 迭代和改进: 根据 AI 的响应改进提示
  2. 测试不同的方法: 尝试针对复杂场景使用各种提示结构
  3. 包含示例: 尽可能提供输入/输出示例
  4. 验证结果: 将 AI 的发现与既定的安全框架进行交叉引用
  5. 记录成功的提示: 构建有效提示库以供重复使用

结论

用于安全测试的有效 AI 提示需要清晰的角色定义、结构化的输入和具体的任务说明。通过遵循这些指南和模板,您可以更有效地在渗透测试和安全评估工作流程中利用 AI 工具,同时保持专业标准和道德规范。