Mitigating insecure output in LLM applications
How to defend against insecure LLM output handling with context-specific encoding, access control enforcement, rendering layer defences, and sandboxing.
How to defend against insecure LLM output handling with context-specific encoding, access control enforcement, rendering layer defences, and sandboxing.
How LLM hallucinations create security risks from financial liability to supply chain attacks via slopsquatting, with mitigation strategies at every layer.
How Markdown image rendering in LLM applications enables data exfiltration, covering the mechanism, indirect prompt injection delivery, and real-world CVEs.
How function calling in LLM applications creates code execution, excessive agency, and injection risks, with techniques for each vulnerability class.
How command injection arises when LLMs translate natural language into shell commands, covering unrestricted execution, guardrail bypasses, and non-determinism.
How SQL injection arises in text-to-SQL LLM applications, covering data exfiltration, UNION-based guardrail bypass, and data manipulation through query types.
How cross-site scripting arises when LLM output bypasses HTML encoding, covering reflected XSS, stored XSS, and the external script resilience bypass.
LLM output is untrusted data. This article covers insecure output handling, the injection risks it enables, and where it sits in OWASP LLM05 and Google SAIF.
No single mitigation eliminates prompt injection. Covers prompt engineering, filtering, fine-tuning, adversarial training, and guardrail models.
Garak is an open-source LLM vulnerability scanner that automates adversarial testing for prompt injection, jailbreaks, and encoding bypasses. Full walkthrough.