« All posts

AI Code Audit: 15 Security Flaws Claude Found in Production

An LLM-based security audit uncovered 15 OWASP-classified flaws-SQL/NoSQL injection, IDOR, path traversal-each shown with vulnerable and fixed code.

Traditional security audits typically take two to three weeks and cost upward of $10,000, but an LLM can compress that process into a few hours by scanning for vulnerability patterns rather than matching specific CVEs. Applying this method to production code surfaced 15 flaws classified under OWASP Top 10 (2021), each documented with vulnerable code, a fixed version, and a description of the attack vector.

The audit follows a three-pass methodology: a broad initial scan, deep contextual analysis of each finding within middleware, ORM, and framework layers, and a final manual verification step to filter out false positives. Among the most frequent issues were SQL injection appearing even in ORM-based projects that fall back to raw queries for complex filters, NoSQL injection exploiting MongoDB's $ne operator to bypass authentication, and command injection through unsanitized input passed to exec().

On the access-control side, the audit flagged IDOR vulnerabilities allowing access to other users' records via sequential IDs, path traversal in file-serving endpoints, and mass assignment bugs letting API clients overwrite sensitive fields like user roles. Recommended fixes rely on concrete engineering practices: parameterized queries, whitelist-based validation, execFile instead of shell execution, ownership checks, and field-level allowlists.

For engineers, the exercise demonstrates that LLM-assisted security scanning can serve as a fast, scalable first-pass filter, though manual review remains essential due to false positives. Structured prompt design-defining output format and prioritizing vulnerability categories-directly affects the quality of the audit's findings.

» SourceDev.to