- \n
- Prompt Injection<\/a><\/li>\n\n\n\n
- Insecure Output Handling<\/a><\/li>\n\n\n\n
- Training Data Poisoning<\/a><\/li>\n\n\n\n
- Model Denial of Service<\/a><\/li>\n\n\n\n
- Supply Chain Vulnerabilities<\/a><\/li>\n\n\n\n
- Sensitive Information Disclosure<\/a><\/li>\n\n\n\n
- Insecure Plugin Design<\/a><\/li>\n\n\n\n
- Excessive Agency<\/a><\/li>\n\n\n\n
- Overreliance<\/a><\/li>\n\n\n\n
- Model Theft<\/a><\/li>\n<\/ol>\n\n\n\n
<\/span>What is the OWASP LLM Top 10?<\/span><\/h2>\n\n\n\n
The OWASP Large Language Model (LLM) Top 10<\/a> lists the most frequent and significant security risks in large language model applications. It aims to educate developers, designers, and organizations about potential security risks that may arise from the deployment of large language models.
<\/p>\n\n\n\n<\/span>OWASP Large Language Model (LLM) Top 10 Explained with Examples<\/span><\/h2>\n\n\n\n
![\"OWASP](\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/07\/4c2bf095-owasp-top-10-for-llm.png\")
<\/figure>\n\n\n\nLLM01: Prompt Injection<\/h3>\n\n\n\n
Prompt Injection is an attack in which the attacker uses crafted input prompts to manipulate the LLM to execute unintended actions or extract sensitive information.<\/p>\n\n\n\n
It can be performed in two ways:<\/p>\n\n\n\n
- \n
- Direct Prompt Injections, or jailbreaking, is an attack in which the attackers modify or reveal the system prompts, allowing them to interact with the underlying system by exploiting the insecure functions.<\/li>\n\n\n\n
- Indirect Prompt Injection is a method in which LLMs accept external input, and attackers send specially crafted input prompts that allow them to manipulate the users or the systems associated with the LLM.<\/li>\n<\/ol>\n\n\n\n
\u2139\ufe0f In 2022, researchers from OpenAI discovered that GPT-3 was vulnerable to prompt injection attacks. Specially crafted input prompts could cause the model to perform malicious and unintended actions.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Establish Trust boundaries and treat LLM as an external user<\/li>\n\n\n\n
- Set up proper access control mechanisms to limit access to the backend<\/li>\n\n\n\n
- Separate the external user prompts from the predefined prompts<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Prompt Injections<\/strong><\/p>\n\n\n\n
An attacker inputs specially crafted prompts to trick the LLM intro into revealing confidential information about the application, such as API keys, or modifying the outputs to perform unintended actions.<\/p>\n\n\n\n
![\"Prompt](\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/07\/904b7c43-you-are-trained-to-be-an-email-replying-bot.-reply-to.png\")
<\/figure>\n\n\n\nLLM02: Insecure Output Handling<\/h3>\n\n\n\n
Insecure Output Handling is a vulnerability that occurs due to insufficient validation and sanitization of input and output and improper handling of the output generated by the LLMs before it is passed on to the applications.<\/p>\n\n\n\n
This security weakness can lead to vulnerabilities like XSS, SSRF, CSRF or even remote code execution.<\/p>\n\n\n\n
\u2139\ufe0f In 2024, researchers discovered that the Mintplex Labs chatbot was vulnerable to a cross-site scripting attack due to a lack of input sanitization. It granted users indirect access to functionalities with the help of malicious input prompts.<\/p>\n\n\n\n
Mitigation Suggestions:<\/strong><\/p>\n\n\n\n
- \n
- Setup Input Validation and Sanitization mechanisms.<\/li>\n\n\n\n
- Implement Output Encoding before directing the output to end users.<\/li>\n\n\n\n
- Implement proper access controls to avoid the processing of sensitive commands or prompts.<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Insecure Output Handling<\/strong><\/p>\n\n\n\n
An LLM allows the crafting of SQL queries for a database, and the attackers request a query to update the users’ table or delete all the tables. If this query is not validated and sanitized properly, it could delete all the databases associated with the LLMs.<\/p>\n\n\n\n
LLM03: Training Data Poisoning<\/h3>\n\n\n\n
Training Data Poisoning is a weakness that occurs when attackers modify or manipulate the training data with harmful data. This causes the LLM to learn from incorrect or biased data and produce skewed predictions.<\/p>\n\n\n\n
This can cause the poisoned data to be served to users or lead to issues like software exploitation, which can harm the brand’s reputation.<\/p>\n\n\n\n
\u2139\ufe0f In 2023, researchers used data augmentation techniques to create trojan LLMs by adding malicious data to the training data set, allowing them to embed backdoors in various LLMs. The models generated predefined responses to specific prompts that could trigger the backdoor.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Verify the source of the training data<\/li>\n\n\n\n
- Use strict input filters to allow specific data for training.<\/li>\n\n\n\n
- Monitor and Verify the data for anomalies using a data curation tool.<\/li>\n<\/ul>\n\n\n\n
Beyond these preventive measures,\u00a0AI penetration testing services<\/a>\u00a0can help simulate real-world data poisoning attacks to test your model\u2019s resilience against malicious training data.<\/p>\n\n\n\n
Example Attack Scenarios for Training Data Poisoning<\/strong><\/p>\n\n\n\n
A competitor or attackers create documents with biased information to feed to the targeted LLMs training data, which causes it to unintentionally generate a more biased output, which benefits the attackers.<\/p>\n\n\n\n
![\"Training](\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/07\/3e0dd7b0-poisoned-data.png\")
<\/figure>\n\n\n\nLLM04: Model Denial of Service<\/h3>\n\n\n\n
Model Denial of Service (DoS) is a type of attack in which attackers cause resource-heavy operations to disrupt the availability of the LLM, slowing it down or making it unavailable to users or associated applications.<\/p>\n\n\n\n
This could also lead to the model learning from this barrage of inputs and allowing the attacker to manipulate the context window(Input length) set by the LLM.<\/p>\n\n\n\n
\u2139\ufe0f In 2023, OpenAI suffered \u201cperiodic outages\u201d on its API and ChatGPT services due to a DDoS attack on its infrastructure<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Implement proper request throttling or rate-limiting mechanisms.<\/li>\n\n\n\n
- Set a strict input length limit for the context window.<\/li>\n\n\n\n
- Continuously monitor the utilization of resources and restrict excessive utilization.<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Model Denial of Service<\/strong><\/p>\n\n\n\n
Attackers can flood the LLM with a high volume of long inputs that can reach the limit of the defined context window, causing strain and increased resource usage, making it unresponsive.<\/p>\n\n\n\n
LLM05: Supply Chain Vulnerabilities<\/h3>\n\n\n\n
Supply chain vulnerabilities generally occur in LLM applications when the third-party resources or libraries used in the development introduce external security risks to the applications.<\/p>\n\n\n\n
Such a vulnerability can result in the application becoming un-operational and even lead to data breaches.<\/p>\n\n\n\n
\u2139\ufe0f In 2022, Hugging Face, which was using a third-party NLP plugin with a critical vulnerability, was injected with malicious code by attackers allowing them to achieve remote code execution.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Use Verified and secure third-party dependencies<\/li>\n\n\n\n
- Use Model and Code Signing<\/li>\n\n\n\n
- Regularly update third-party components<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Supply Chain Vulnerabilities<\/strong><\/p>\n\n\n\n
Attackers can manipulate and inject publicly available datasets with malicious inputs to generate a backdoor when it is used to retrain a model. This allows the attackers to perform unauthorized actions or even access sensitive data in that environment. Proactive AI penetration testing<\/a> can help detect such supply chain\u2013driven weaknesses early in the model lifecycle.<\/p>\n\n\n\n
![\"Supply](\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/07\/efacab7d-third-party-dependencies-or-libraries.png\")
<\/figure>\n\n\n\nLLM06: Sensitive Information Disclosure<\/h3>\n\n\n\n
Sensitive Data Exposure is a vulnerability that can occur when the LLM reveals sensitive information about the system or the algorithms being used in its output. Attackers can access such information to gain unauthorized access to the system.<\/p>\n\n\n\n
It can lead to data breaches and loss of Intellectual Property and cause legal penalties for non-compliance and privacy violations.<\/p>\n\n\n\n
\u2139\ufe0f In 2022, researchers discovered that a chatbot created by a healthcare organization was exposing sensitive patient information to its users due to a lack of sanitization. This data breach exposed personal health records, leading to legal consequences for non-compliance.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Implement data sanitization mechanisms.<\/li>\n\n\n\n
- Implement strict data access policies.<\/li>\n\n\n\n
- Monitor model outputs for information leaks.<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Sensitive Information Disclosure<\/strong><\/p>\n\n\n\n
Attackers can craft malicious input prompts that exploit the absence or ineffectiveness of the input validation mechanisms deployed in the LLMs to reveal the PII of other application users.<\/p>\n\n\n\n
LLM07: Insecure Plugin Design<\/h3>\n\n\n\n
Insecure Plugin Design occurs when the LLM plugins introduce vulnerabilities into the system. These vulnerabilities can cause the LLMs to accept insecure input prompts or have improper access control mechanisms, making them easier targets for attackers to exploit.<\/p>\n\n\n\n
Due to the lack of proper authentication and authorization, the plugins trust the data input via other plugins, causing data leakages, privilege escalation, or remote code execution, which leads to system failure.<\/p>\n\n\n\n
\u2139\ufe0f In 2023, OpenAI\u2019s ChatGPT faced a security vulnerability due to an insecure plugin design. A third-party plugin that enhanced the chatbot’s functionality allowed for arbitrary code execution.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Follow secure coding practices for development.<\/li>\n\n\n\n
- Restrict plugin access to data and functions.<\/li>\n\n\n\n
- Plugins should use proper authentication systems to maintain access controls.<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Insecure Plugin Design<\/strong><\/p>\n\n\n\n
An insecure plugin can be targeted by attackers to input content generated by other insecure LLMs and perform any unauthorized actions as the plugin assumes the data is being input by an end user.<\/p>\n\n\n\n
![\"Insecure](\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/07\/d99ec44c-insecure-plugin-design.png\")
<\/figure>\n\n\n\nLLM08: Excessive Agency<\/h3>\n\n\n\n
Excessive Agency is a vulnerability that occurs when the LLMs are given control over crucial functions or are given excessive permissions. These actions can cause unintended damage to the data or the associated applications.<\/p>\n\n\n\n
It can deeply impact the confidentiality, integrity, and availability of the associated applications and introduce various vulnerabilities.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Limit the autonomy and permissions of LLMs<\/li>\n\n\n\n
- Implement human-in-loop controls for critical operations<\/li>\n\n\n\n
- Implement authorization in downstream applications<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Excessive Agency<\/strong><\/p>\n\n\n\n
Attackers can exploit a plugin developed for executing specific shell commands by feeding it instructions to perform undefined and higher privilege commands to gain unauthorized access or perform unintended functions.<\/p>\n\n\n\n
LLM09: Overreliance<\/h3>\n\n\n\n
Overreliance in LLMs can occur when the output generated by the models is trusted by the users and the applications without any validation or confirmation on whether the generated outputs are accurate.<\/p>\n\n\n\n
This overreliance on the LLMs’ outputs can lead to miscommunication or introduce security vulnerabilities due to incorrect outputs.<\/p>\n\n\n\n
\u2139\ufe0f In 2023, a novice lawyer used ChatGPT to write a motion for him and generate the document. Even though he provided the model with proper data and input prompts, the model generated several fake citations, which led to a false case and the lawyer’s disbarment.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Use LLM outputs as recommendations.<\/li>\n\n\n\n
- Review and validate LLM outputs for accuracy.<\/li>\n\n\n\n
- Enhance the model by fine-tuning output quality.<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Overreliance<\/strong><\/p>\n\n\n\n
A healthcare system designed to provide diagnosis and prescribing medicines, due to overreliance, can lead to incorrect and harmful treatments or procedures and can be fatal for the patients.<\/p>\n\n\n\n
LLM10: Model Theft<\/h3>\n\n\n\n
Model Theft refers to unauthorized access to the LLM, which allows attackers to gain sensitive information about the model, such as its parameters, which can be used to replicate the model and use it for themselves.<\/p>\n\n\n\n
This vulnerability leads to financial and reputational loss to organizations and creates mistrust amongst the users of the LLMs.<\/p>\n\n\n\n
Mitigation Suggestions<\/strong><\/p>\n\n\n\n
- \n
- Secure LLM with strong encryption suites.<\/li>\n\n\n\n
- Implement robust access control mechanisms.<\/li>\n\n\n\n
- Regularly monitor and audit the access logs.<\/li>\n<\/ul>\n\n\n\n
Example Attack Scenarios for Model Theft<\/strong><\/p>\n\n\n\n
An attacker can query the model repeatedly with selected inputs, collecting sensitive information from the outputs to replicate the model and use it for themselves without access to the original one.<\/p>\n\n\n\n
![\"Model](\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/07\/72659e1b-model-theft.png\")
<\/figure>\n\n\n\n<\/span>Final Thoughts<\/strong><\/span><\/h2>\n\n\n\n
The OWASP LLM Top 10 lists critical security risks associated with LLMs. Identifying and mitigating these vulnerabilities<\/a> helps developers and organizations ensure secure and robust models. <\/p>\n\n\n\n
Practices like role-based access controls, strong cipher suites, input validation, and regular monitoring of the LLMs and their output can help protect them from various cyberattacks.<\/p>\n","protected":false},"excerpt":{"rendered":"
Since their inception, LLMs or large language models have rapidly integrated into various fields over the past couple of years, giving rise to a new set of security challenges in the field. LLMs like ChatGPT or GitHub\u2019s Co-Pilot are also prone to cyber-attacks, where exploiting a single vulnerability can disrupt thousands of organizations that rely … Read more<\/a><\/p>\n","protected":false},"author":121,"featured_media":38752,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[340],"tags":[],"class_list":["post-26009","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-audit"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/26009","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/121"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=26009"}],"version-history":[{"count":17,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/26009\/revisions"}],"predecessor-version":[{"id":42682,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/26009\/revisions\/42682"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/38752"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=26009"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=26009"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=26009"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Insecure Output Handling<\/a><\/li>\n\n\n\n