Penetration TestJan Kahmen7 min read

OWASP Top 10 for Large Language Model Applications

The OWASP Top 10 List for Large Language Models version 0.1 is a draft of significant vulnerability types in Artificial Intelligence (AI) applications constructed on Large Language Models (LLMs).

Table of content

The OWASP Top 10 List for Large Language Models version 0.1 is a draft of significant vulnerability types in Artificial Intelligence (AI) applications constructed on Large Language Models (LLMs).

LLM01:2023 - Prompt Injections

Prompt injections are vulnerabilities that can lead to malicious consequences such as data leakage, unauthorized access, or other security breaches. To prevent and mitigate these risks, developers need to implement prompt validation and sanitization, while also regularly updating and fine-tuning the LLM to improve its understanding of malicious inputs and edge cases. Monitoring and logging LLM interactions can also help detect and analyze potential prompt injection attempts.

LLM02:2023 - Data Leakage

This text has provided an overview of data leakage and its risks, along with examples of how it can occur. It has also outlined ways to minimize these risks, such as implementing output filtering and context-aware mechanisms, using data anonymization and differential privacy techniques for training, and regularly auditing and logging LLM interactions. Through vigilant monitoring and strict security protocols, developers can mitigate the risk of data leakage and ensure the secure use of their LLMs.

LLM03:2023 - Inadequate Sandboxing

Sandboxing is a security technique used to limit an LLM's access to external resources or sensitive systems. If inadequate sandboxing is implemented, it can enable potential exploitation, unauthorized access, or unintended actions by the LLM. To avoid these risks, proper sandboxing should be implemented to separate the LLM environment from other critical systems and resources while restricting the LLM's capabilities and access to just what is necessary. Developers should also have good oversight by regularly auditing and reviewing the LLM environment, access controls, and interactions to detect possible sandboxing issues. Attack scenarios can include an attacker exploiting an LLM's access to a sensitive database for confidential information or an attacker manipulating the LLM to execute unauthorized commands, so understanding and preventing these risks is key to keeping LLM implementations safe.

LLM04:2023 - Unauthorized Code Execution

Unauthorized code execution is a potential vulnerability of an LLM (Language and Logic Model) when an attacker subverts it to execute malicious code, commands, or actions on the underlying system. Prevention measures involve stringent input validation and sanitization, proper sandboxing, restricting the LLM's capabilities, regular auditing of the LLM's environment and access control, and monitoring and logging of interactions with the LLM. Two typical attack scenarios include crafting a prompt to launch a reverse shell on the underlying system, and manipulation of the LLM into executing unauthorized actions on the system. By being aware of these risks and taking appropriate steps, developers can safeguard their LLMs and protect their systems.

LLM05:2023 - SSRF Vulnerabilities

Server-side Request Forgery (SSRF) vulnerabilities are caused by inadequate input validation, sandboxing, and resource restrictions, and misconfigured network or application security settings. To prevent such incidents, measures like rigorous input validation, sandboxing and resource restrictions, auditing and reviewing network and application security, and monitoring and logging LLM interactions should be carried out. Attackers often utilize LLMs to bypass access controls and access restricted resources, or to interact with internal services and modify sensitive data. To mitigate against such risks, developers should be aware of and take precautions against the potential for SSRF vulnerabilities.

LLM06:2023 - Overreliance on LLM-generated Content

To prevent issues related to overreliance on LLM-generated content, organizations and users should take the following steps: verify content, consult alternative sources, ensure human oversight and review, communicate content limitations, and use LLM-generated content as a supplement rather than a replacement. Examples of attack scenarios include news organizations publishing false information and companies using inaccurate financial data to make critical decisions. Both situations can lead to the spread of misinformation and significant financial losses.

LLM07:2023 - Inadequate AI Alignment

This involves clearly defining the objectives and intended behavior, ensuring that reward functions and training data are aligned and do not encourage undesired or harmful behaviors, regularly testing and validating the LLM’s behavior in various contexts and scenarios, and implementing monitoring and feedback mechanisms to continuously evaluate the LLM’s performance and alignment. Additionally, anticipating and addressing attack scenarios, such as those involving inappropriate user engagement or system administration tasks, can help reduce the risk of undesired or malicious outcomes.

LLM08:2023 - Insufficient Access Controls

To reduce the risk of vulnerabilities being exploited, developers must enforce strict authentication requirements and implement role-based access control (RBAC) for restricting user access. Access controls must also be implemented for LLM-generated content and actions to prevent unauthorized access or manipulation. Regular audits and updates should also be performed to ensure security is maintained.

LLM09:2023 - Improper Error Handling

Improper error handling can lead to attackers discovering sensitive information, system details and potential attack vectors. To prevent this, proper error handling needs to be implemented to catch, log and handle errors gracefully. Furthermore, error messages and debugging information must not reveal sensitive information or system details. Attackers can exploit LLM vulnerabilities by exploiting improper error handling, so preventing this will reduce the risk and improve system stability.

LLM10:2023 - Training Data Poisoning

Training data poisoning is when an attacker manipulates training data or fine-tuning procedures of an LLM to introduce subjects that can compromise security, effectiveness, ethical behavior, etc. To prevent this, data integrity should be enforced, data sanitization and preprocessing should be implemented, and the LLM should be regularly reviewed. Monitoring and alerting mechanisms can also detect irregularities, which may indicate malicious manipulation.


In conclusion, the OWASP Top 10 List for Large Language Models is a blueprint for understanding and preventing significant vulnerability types in AI applications built on large language models. Through proper sandboxing, input validation, authorization, and error handling techniques, and by understanding the risks associated with training data poisoning and overreliance on LLM-generated content, developers can keep LLM implementations secure and ensure they are functioning as intended.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: