OWASP Top 10 for LLMs visualized

Dor Sarig

and

February 1, 2024

min read

OWASP Top 10 Risks for LLMs visualized

‍

LLM01: Prompt Injection

Crafty inputs can trick LLMs into unintended behaviors. This includes overwriting system prompts or manipulating external source inputs.

‍

LLM02: Insecure Output Handling

When LLM outputs are blindly trusted, it risks system exposure with potential threats like XSS, CSRF, and privilege escalation.

‍

LLM03: Training Data Poisoning

LLMs are at risk if their training data is altered, which might introduce security risks, biases, or affect their effectiveness.

‍

LLM04: Model Denial of Service

LLMs are susceptible to attacks that strain resources, amplified by their resource-heavy nature and unpredictable user inputs.

‍

LLM05: Supply Chain Vulnerabilities

LLM systems can be undermined by vulnerabilities from third-party datasets, plugins, or pre-trained models.

‍

LLM06: Sensitive Information Disclosure

LLMs might unintentionally disclose sensitive information such as PII.

‍

LLM07: Insecure Plugin Design

Insecure plugin designs, especially with poor input and access controls, can be easily exploited.

‍

LLM08: Excessive Agency

Excessive functionalities or permissions given to LLMs might lead to unexpected outcomes.

‍

LLM09: Overreliance

Over-relying on LLMs without proper checks may cause misinformation, legal challenges, and other vulnerabilities.

‍

LLM10: Model Theft

Unauthorized access to LLM models can result in financial losses, competitive disadvantages, and exposure of confidential info.

‍

*LLM Application Data Flow (Credit: OWASP TOP 10 for LLMs)*

‍

FAQs

How can prompt injection attacks compromise an LLM application?

Prompt injection occurs when crafted inputs trick an LLM into unintended behaviors, such as overwriting system prompts or manipulating external source inputs. Because the model processes attacker-controlled text alongside legitimate instructions, it can be redirected to bypass safety controls, leak data, or execute unauthorized actions.

What security risks arise from blindly trusting LLM output without validation?

Insecure output handling happens when applications pass LLM-generated content downstream without sanitization. This exposes systems to client-side attacks like cross-site scripting and cross-site request forgery, as well as privilege escalation. Treating model output as untrusted data and applying standard output encoding controls is essential to prevent these attack paths.

Why does excessive agency in LLM deployments create a cybersecurity risk?

Excessive agency refers to granting an LLM more functionality or permissions than its task requires. When a model operates with overprivileged access, unexpected or adversarially induced behaviors can trigger high-impact actions the system was never intended to perform, making least-privilege design a critical control for agentic AI architectures.

How can third-party plugins and datasets introduce supply chain vulnerabilities into LLM systems?

LLM supply chain vulnerabilities stem from third-party datasets, pre-trained models, and plugins that carry their own weaknesses into an otherwise secured application. A compromised plugin or poisoned upstream dataset can undermine the integrity of the entire system, meaning security teams must vet and continuously monitor every external dependency in the AI pipeline.

What is training data poisoning and how does it affect LLM security and reliability?

Training data poisoning occurs when an attacker alters the data used to train an LLM, embedding security vulnerabilities, biases, or degraded capabilities directly into the model's learned behavior. Because the manipulation happens before deployment, the resulting model may behave maliciously or unreliably in ways that are difficult to detect through standard runtime monitoring alone.