OWASP Top 10 for LLM Applications

Manipulating LLM behavior through crafted inputs that override system instructions. Includes direct injection, indirect injection via external data sources, and multi-step jailbreak attacks.

LLMs revealing confidential data from training data, system prompts, or connected data sources through carefully crafted queries.

Risks from compromised training data, pre-trained models, plugins, and third-party components integrated into LLM applications.

Corrupting training data, fine-tuning datasets, or RAG knowledge bases to manipulate model behavior and introduce backdoors.

Failing to validate, sanitize, or properly handle LLM-generated outputs before passing them to downstream systems or users.

LLM systems granted too many permissions, functions, or autonomy, enabling them to perform unintended or harmful actions.

Extracting hidden system prompts that contain sensitive business logic, security controls, or proprietary instructions.

Exploiting vulnerabilities in vector databases and embedding pipelines used in RAG architectures to poison retrieval results.

LLMs generating false, misleading, or fabricated information (hallucinations) that users may trust and act upon.

Attacks that cause LLM applications to consume excessive resources, leading to denial of service, cost escalation, or model degradation.