OWASP Top 10 For LLMs 2023 Slides v1 - 0
OWASP Top 10 For LLMs 2023 Slides v1 - 0
VERSION 1.0
Published: August 1, 2023
| OWASP Top 10 for LLM v1.0
EXAMPLES
LLM01
Direct prompt injections overwrite system prompts
crafted inputs, causing it to execute the Enforce privilege control on LLM access to backend systems
directly by adversarially prompting the Establish trust boundaries between the LLM, external sources, and
extensible functionality.
system prompt or indirectly through
leading to data exfiltration, social An attacker provides a direct prompt injection to an LLM-based support
chatbot
engineering, and other issues. An attacker embeds an indirect prompt injection in a webpage
prompt injection.
| OWASP Top 10 for LLM v1.0
EXAMPLES
LLM02
LLM output is entered directly into a system shell or similar function,
resulting in remote code execution
Handling PREVENTION
Apply proper input validation on responses coming from the model to
Insecure Output Handling is a vulnerability backend functions
that arises when a downstream component Encode output coming from the model back to users to mitigate
undesired code interpretations.
blindly accepts large language model (LLM)
output without proper scrutiny. This can ATTACK SCENARIOS
lead to XSS and CSRF in web browsers as An application directly passes the LLM-generated response into an
internal function responsible for executing system commands without
well as SSRF, privilege escalation, or remote proper validation
code execution on backend systems. A user utilizes a website summarizer tool powered by a LLM to generate a
concise summary of an article, which includes a prompt injection
An LLM allows users to craft SQL queries for a backend database through
a chat-like feature.
| OWASP Top 10 for LLM v1.0
EXAMPLES
LLM03
Poisoning P R E V E NT I O N
Verify the legitimacy of targeted data sources during both the training and
This risks performance degradation, A malicious user of the application may try to influence and inject toxic
EXAMPLES
LLM04
Model Denial of Continuous input overflow: An attacker sends a stream of input to the
Service
P R E V E NT I O N
Model Denial of Service occurs when an Implement input validation and sanitization to ensure input adheres to
Limit the number of queued actions and the number of total actions in a
AT TA C K S C E N A R I O S
service for them and other users, as well as
Attackers send multiple requests to a hosted model that are difficult and
potentially incurring high resource costs.
costly for it to process
Attackers overwhelm the LLM with input that exceeds its context window.
| OWASP Top 10 for LLM v1.0
EXA M PLES
LLM05
Using outdated third-party packages
Vulnerabilities
PREVENTI ON
Supply chain vulnerabilities in LLMs can Vet data sources and use independently-audited security systems
deployment platforms, causing biased Use model and code signing for external models
insecure plugin designs. Publicly available models are poisoned to spread misinformation
EXAMPLES
LLM06
Incomplete filtering of sensitive data in responses
Overfitting or memorizing sensitive data during training
Disclosure PREVENTION
Use data sanitization and scrubbing techniques
Implement robust input validation and sanitization
LLM applications can inadvertently disclose Limit access to external data sources
sensitive information, proprietary Apply the rule of least privilege when training models
Maintain a secure supply chain and strict access control.
algorithms, or confidential data, leading to
unauthorized access, intellectual property ATTACK SCENARIOS
theft, and privacy breaches. To mitigate Legitimate user exposed to other user data via LLM
Crafted prompts used to bypass input filters and reveal sensitive data
these risks, LLM applications should Personal data leaked into the model via training data increases risk.
EXAMPLES
LLM07
Plugins accepting all parameters in a single text field or raw SQL or
programming statements
Design
actions without additional authorization.
PREVENTION
Plugins can be prone to malicious requests Enforce strict parameterized input and perform type and range checks
leading to harmful consequences like data Conduct thorough inspections and tests including SAST, DAST, and IAST
Use appropriate authentication identities and API Keys for authorization
exfiltration, remote code execution, and and access control
Require manual user authorization for actions taken by sensitive plugins.
privilege escalation due to insufficient
access controls and improper input ATTACK SCENARIOS
validation. Developers must follow robust Attackers craft requests to inject their own content with controlled
access control guidelines. Attacker stages a SQL attack via a plugin accepting SQL WHERE clauses
as advanced filters.
| OWASP Top 10 for LLM v1.0
EXAMPLES
LLM08
An LLM agent accesses unnecessary functions from a plugin
An LLM plugin fails to filter unnecessary input instructions
implement authorization in downstream An LLM-based personal assistant app with excessive permissions and
autonomy is tricked by a malicious email into sending spam. This could be
systems. prevented by limiting functionality, permissions, requiring user approval, or
implementing rate limiting.
| OWASP Top 10 for LLM v1.0
EXAMPLES
LLM09
LLM provides incorrect information
LLM generates nonsensical text
ATTACK SCENARIOS
AI fed misleading info leading to disinformation
AI's code suggestions introduce security vulnerabilities
Developer unknowingly integrates malicious package suggested by AI.
| OWASP Top 10 for LLM v1.0
EXAMPLES
LLM10
Attacker gains unauthorized access to LLM model
Disgruntled employee leaks model artifacts