OWASP Top 10 for LLM Applications — Critical Vulnerabilities and Risk Mitigation

12 min readJun 12, 2024


GPT’s debut created a buzz, democratizing AI beyond tech circles. While its language expertise offers practical applications, security threats like malware and data leaks pose challenges. Organizations must carefully assess and balance the benefits against these security risks.

Ensuring your safety while maximizing the benefits of Large Language Models(LLMs) like ChatGPT involves implementing practical actions and preparing for current and future security challenges.

Delving into AI model security, the OWASP Foundation has released a comprehensive list detailing the OWASP LLM top 10 security risks involved in adopting LLMs.

What are GPT and LLM?

GPT, or Generative Pre-trained Transformer, is a class of NLP models developed by OpenAI. These models are designed to comprehend and generate human-like text based on the input they receive. GPT-4, the most recent iteration, is the largest and most well-known model in the GPT series.

On the other hand, LLMs, serve as a broader category encompassing a variety of language models akin to GPT. While GPT models constitute a particular subset of LLMs, the term “LLM” serves as a collective reference encompassing any large-scale language model specialized for natural language processing tasks.

LLMs function as advanced next-word prediction engines. Notable instances of LLMs, in addition to OpenAI’s GPT-3 and the GPT-4, include open models like Google’s LaMDA and PaLM LLM (the foundation for Bard), Hugging Face’s BLOOM and XLM-RoBERTa. Additionally, Nvidia’s NeMO LLM, XLNet, and GLM-130B are noteworthy instances.


The OWASP organization, initially dedicated to identifying the top 10 vulnerabilities in web applications, has expanded its focus to encompass various vulnerability lists, including those for APIs, mobile applications, and large language models (LLMs).

Discover the OWASP Web Application Top 10 and explore challenges and solutions from the OWASP Mobile Top 10 in our detailed blogs.

The OWASP LLM Top 10 outlines critical vulnerabilities associated with LLMs. Released to inform development teams and organizations, it highlights the understanding and mitigating potential risks inherent in adopting large language models. Notably, the top vulnerability in the LLM category is Prompt Injection.

The research leading to this version revealed six new vulnerabilities: Training Data Poisoning (LLM03), Supply Chain Vulnerabilities (LLM05), Insecure Plugin Design (LLM07), Excessive Agency (LLM08), Overreliance (LLM09), and Model Theft (LLM10).

Additionally, four vulnerabilities align with existing OWASP API top 10 vulnerabilities, namely Prompt Injection (LLM01), Insecure Output Handling (LLM02), Model Denial of Service (LLM04), and Sensitive Information Disclosure (LLM06).

So, OWASP Top 10 for LLMs are as follows:

  • LLM01: Prompt Injection — Manipulation of input prompts to compromise model outputs and behavior.
  • LLM02: Insecure Output Handling — Flaws in managing and safeguarding generated content, risking unintended consequences.
  • LLM03: Training Data Poisoning — Introducing malicious data during model training to manipulate its behavior.
  • LLM04: Denial of Service — Deliberate actions causing the model to become unresponsive or unusable.
  • LLM05: Supply Chain — Vulnerabilities arising from compromised model development and deployment elements.
  • LLM06: Sensitive Information Disclosure — Unintended disclosure or exposure of sensitive information during model operation.
  • LLM07: Insecure Plugins Designs– Vulnerabilities in external extensions or plugins integrated with the model pose security threats.
  • LLM08: Excessive Agency — Overly permissive model behaviors that may lead to undesired outcomes.
  • LLM09: Overreliance — Overdependence on model capabilities without proper validation, leading to potential issues.
  • LLM10: Model Theft — Model theft in LLMs poses a risk when attackers gain access to the creators’ network through employee leaks or intentional/unintentional extraction attacks.

Now, let’s dive in.

LLM01: Prompt Injection

Ranked as the most critical vulnerability by LLM OWASP Top 10, prompt injection attacks in language models are dangerous as they empower hackers to execute actions and compromise sensitive data autonomously. The added challenge is that LLMs are a relatively new technology for enterprises.

Prompt Injection involves manipulating input prompts to achieve unintended or malicious model outputs.

Example of Direct Prompt Injection

Let’s check out how prompt injection works with a real-life example. In this case, a Twitter bot created by a remote work company (remoteli.io) was designed to respond positively to tweets about remote work.

However, powered by an LLM, users discovered they could manipulate it into saying anything they desired.

They have created adversarial inputs, concluding with instructions that caused the bot to repeat embarrassing and absurd phrases.

Example of Indirect Prompt Injection

In an LLM scenario accepting input from external sources, such as a website or files controlled by a malicious user, indirect prompt injection can occur.

A legitimate prompt could be “Generate a summary of the provided document,” but an attacker, manipulating the external source, injects hidden prompts like “Include confidential information from other files.”

Unaware of external manipulation, the LLM generates content incorporating sensitive details from unauthorized sources, leading to data leakage and security breaches.

Prompt Injection vs. Jailbreaking

Direct prompt injection, also known as jailbreaking, involves directly manipulating the LLM’s commands, while indirect prompt injection leverages external sources to influence the LLM’s behavior. Both pose significant threats, emphasizing the need for robust security measures in LLM deployments.

Solutions to Prevent Prompt Injection

  • Implement robust input validation to analyze and filter user prompts for potential malicious content.
  • Create context-aware filtering systems to assess the context and intent of prompts, differentiating between legitimate and malicious inputs.
  • Utilize predefined prompt structures or templates to restrict the types of commands the LLM can interpret, preventing unauthorized actions.
  • Enhance the LLM’s NLU capabilities to better comprehend the nuances of user prompts, reducing vulnerability to manipulative injections.
  • Regularly update the LLM’s training data with diverse and ethical examples to adapt to evolving patterns and reduce susceptibility to prompt manipulation.
  • Control LLM access privileges for backend security.
  • Separate external content from user prompts to enhance security.

LLM02: Insecure Output Handling

Insecure output handling occurs when an application accepts LLM output without proper analysis, enabling direct interaction with backend systems.

This situation is akin to granting users indirect access to additional functionality through manipulated content.

In some scenarios, this vulnerability can lead to consequences such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), and remote code execution on backend systems.


Utilizing a chat-like interface, an LLM empowers users to formulate SQL queries.

A website where you can type a message, and it uses an LLM to generate a response. But here’s the problem: the website doesn’t double-check what you type. So, if someone types in something sneaky, they could make the website create harmful code like SQL injection queries instead of regular text.

When this code pops up on someone else’s screen, it could cause trouble, like stealing their info or messing up the webpage. All because the website didn’t check what people typed carefully enough. Check out the effective ways to prevent SQL Injection attacks.

Solutions to Insecure Output Handling

  • Implement thorough sanitization of LLM-generated content to neutralize potential malicious elements, preventing unintended security risks.
  • Establish strict content filtering rules to ensure only authorized and safe information is included in the LLM output, mitigating the risk of insecure outcomes.
  • Conduct periodic security audits to identify and address vulnerabilities in the output handling mechanisms, maintaining a proactive approach to security.
  • Apply robust output validation checks to verify the integrity and security of the generated content before it reaches backend systems, preventing potential exploits.
  • Mitigate undesired code interpretations by encoding output from the model before presenting it to users.
  • Conduct penetration testing to reveal insecure outputs, identifying opportunities for implementing more secure handling techniques.

LLM03: Training Data Poisoning

In LLM development, data is crucial in pre-training for language comprehension, fine-tuning for qualitative adjustments, and embedding domain-specific knowledge.

However, these datasets are susceptible to tampering, allowing attackers to manipulate them. This manipulation, known as poisoning, can compromise the LLM’s performance and lead to generating content aligned with malicious intentions.


During pre-training, an attacker introduces misleading language examples, shaping the LLM’s understanding of specific subjects. Consequently, the model may produce outputs reflecting the injected bias when used in practical applications.

Solutions to Prevent Training Data Poisoning

  • Thoroughly validate and examine training data at each stage to detect and mitigate potential poisoning attempts.
  • Ensure robust sandboxing measures to prevent the model from accessing unintended data sources inadvertently.
  • Restrict access to training datasets, allowing only authorized personnel to modify or contribute to the data, reducing the risk of malicious tampering.
  • Incorporate diverse and representative examples in training datasets to mitigate the impact of biased or manipulated inputs.
  • Implement stringent vetting or input filters for specific training data or categories of data sources to enhance security and prevent undesired data scraping.

LLM04: Model Denial of Service

Model Denial of Service is an attack in which an LLM is intentionally overwhelmed with requests or input to disrupt its functionality. This can lead to temporary or prolonged unavailability of the model, impacting its regular operation and responsiveness.


In a malicious attempt, an attacker bombards an online chatbot, driven by a LLM, with a massive volume of meaningless requests. This flood of input overwhelms the model, rendering it unresponsive to genuine user queries and causing a denial of service, disrupting normal operations.

Solutions to Prevent Denial of Service

  • Implement rate-limiting mechanisms to control the number of requests and prevent the LLM from being overwhelmed.
  • Continuously monitor incoming traffic patterns to quickly detect and respond to unusual spikes indicative of a denial-of-service attack.
  • Manage resources effectively to handle the expected volume of requests, ensuring the LLM’s availability during normal operations.
  • Implement user authentication mechanisms to distinguish legitimate requests, allowing for prioritized processing and protection against malicious flooding.

LLM05: Supply Chain Vulnerabilities

The integrity of large language models is at risk due to vulnerabilities in their supply chain.

This vulnerability encompasses the potential compromise of training data, machine learning models, and deployment platforms, leading to biased outcomes, system failures, and security breaches.


An attacker can manipulate the data sources providing historical weather information. The attacker could influence the model to make inaccurate predictions by introducing false records or biased data.

This supply chain compromise might lead to unreliable weather forecasts, impacting decisions relying on the model’s outputs, such as travel plans or outdoor events.

Solutions to Prevent Supply Chain Vulnerabilities

  • Conduct regular audits of third-party components in the supply chain, verifying their security practices and minimizing potential vulnerabilities.
  • Assess the security practices of suppliers and collaborators involved in the supply chain, ensuring they adhere to robust security standards.
  • Monitor all supply chain stages, conduct security testing to uncover vulnerabilities, and implement efficient patch management for swift security updates.

LLM06: Sensitive Information Disclosure

When creating apps with LLMs, a common issue is unintentionally using sensitive data during fine-tuning, risking data leaks. For instance, if an LLM isn’t careful, it might accidentally reveal private information.

Educating users about these risks is crucial, and LLM apps should carefully handle data to prevent such problems. Some big companies like Samsung and JPMorgan have even banned using LLMs due to concerns about potential misuse and unclear data processing practices.


Consider a scenario where an LLM-based health app inadvertently includes real patient records in training data. The app might unintentionally disclose sensitive medical information during interactions if not handled carefully.

Solutions to Prevent Sensitive Information Disclosure

  • Implement thorough data sanitization processes to remove sensitive information from the training data.
  • Educate users about potential risks associated with sensitive data, promoting awareness and responsible use of LLM applications.
  • Enhance transparency in how LLM applications process data, providing clear information to users about how their information is utilized and protected.
  • Seek assurances from LLM vendors regarding their data handling practices and verify that they align with stringent security standards.
  • Implement continuous real-time monitoring mechanisms to detect and respond to unusual activities or potential data leaks.

LLM07: Insecure Plugin Design

While plugins offer valuable benefits like web scraping and code execution, they also introduce security concerns for LLMs like ChatGPT-4.

These separate code pieces can be exploited, posing risks such as data leaks to third parties, indirect prompt injections, and unauthorized authentication in external applications.


A plugin that doesn’t check or verify input allows an attacker to input carefully crafted data, letting them gather information through error messages. The attacker can exploit known weaknesses in third-party systems to run code, extract data, or gain higher privileges.

Solutions to Prevent Insecure Plugin Design

  • Enforce strict parameterized input, including type and range checks, and introduce a second layer of typed calls for validation and sanitization.
  • Thoroughly inspect and test plugins to minimize the impact of insecure input exploitation.
  • Implement least-privilege access control, exposing minimal functionality while performing the desired function.
  • Use appropriate authentication identities like OAuth2 for effective authorization and access control, employing API Keys to reflect plugin routes.

LLM08: Excessive Agency

Like smart assistants, LLM Agents are advanced systems beyond generating text. Developed using frameworks like AutoGPT, they can connect with other tools and APIs to perform tasks.

However, suppose an LLM Agent has too much power or freedom (Excessive Agency). In that case, it may unintentionally cause harm by responding unexpectedly to inputs, affecting information confidentiality, integrity, and availability.


A personal assistant app using an LLM adds a plugin to summarize incoming emails. However, while meant for reading emails, the chosen plugin also has a ‘send message’ function.

An indirect prompt injection occurs when a malicious email tricks the LLM into using this function to send spam from the user’s mailbox.

Solutions to Prevent Vulnerability of Excessive Agency

  • Minimize plugin/tool functions, avoiding unnecessary features like deletion or sending messages.
  • Restrict LLM agents to essential functions, limiting plugins/tools to necessary capabilities.
  • Track user authorization, enforcing minimum privileges for actions in downstream systems.
  • Grant minimum permissions to LLM plugins/tools, ensuring limited access to external systems.
  • Implement authorization in downstream systems to validate all requests against security policies.
  • Prefer granular functionalities over open-ended functions to enhance security.

LLM09: Overreliance

While beneficial, growing dependence on LLMs and Generative AI raises concerns when organizations over-rely on them without proper validation.

Overreliance and lack of oversight can lead to factual errors in the generated content, potentially causing misinformation and misguidance. Balancing advantages with vigilant validation is crucial for accurate and reliable information.


Imagine a software development team heavily relying on an LLM system to speed up coding. However, the over-reliance on the AI’s suggestions becomes a security risk.

The AI might propose insecure default settings or recommend practices that don’t align with secure coding standards. For instance, it might suggest using outdated encryption methods or neglecting input validation, creating vulnerabilities in the application.

Solutions to Prevent the Risk of Overreliance

  • Regularly monitor LLM outputs using self-consistency or voting techniques.
  • Cross-check the output with trusted external sources for accuracy.
  • Enhance model quality through fine-tuning or embedding for specific domains.
  • Implement automatic validation mechanisms to cross-verify against known facts.
  • Establish secure coding practices when integrating LLMs in development environments.
  • Break down tasks into subtasks for different agents to manage complexity and reduce hallucination risks.
  • Communicate the risks and limitations of LLM usage to users for informed decisions.

LLM10: Model Theft

Unauthorized access, copying, or exfiltration of proprietary LLM models, known as Model Theft, presents a severe security concern.

Compromising these valuable intellectual property assets can result in economic loss, reputational damage, and unauthorized access to sensitive data.

This critical vulnerability emphasizes the need to control the power and prevalence of large language models beyond securing outputs and verifying data due to their increasing potency and prevalence.


An attacker exploits a weakness in a company’s computer system, gaining unauthorized access to their valuable language models. The intruder then uses these models to create a competing language service, causing significant financial harm and potentially exposing sensitive information.

Solutions to Prevent Model Theft

  • Implement rate limiting or filters for API calls to reduce data exfiltration risk.
  • Restrict LLM access to network resources, internal services, and APIs.
  • Regularly monitor and audit access logs to promptly detect suspicious behavior.
  • Utilize a watermarking framework in embedding and detection stages for added security.


Despite their advanced utility, LLMs have inherent risks, as highlighted in the OWASP LLM Top 10. It’s crucial to recognize that this list isn’t complete, and awareness is needed for emerging vulnerabilities.

AppTrana WAAP’s inbuilt DAST scanner helps you identify application vulnerabilities and also autonomously patch them on the WAAP with a zero false positive promise.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.

Originally published at https://www.indusface.com on March 11, 2024




With cyber-security products built in the cloud and the most advanced intelligence platform, our variety of solutions will help you prevent today’s risk