Insecure output handling in LLM applications
LLM output is untrusted data. This article covers insecure output handling, the injection risks it enables, and where it sits in OWASP LLM05 and Google SAIF.
LLM output is untrusted data. This article covers insecure output handling, the injection risks it enables, and where it sits in OWASP LLM05 and Google SAIF.
No single mitigation eliminates prompt injection. Covers prompt engineering, filtering, fine-tuning, adversarial training, and guardrail models.
Garak is an open-source LLM vulnerability scanner that automates adversarial testing for prompt injection, jailbreaks, and encoding bypasses. Full walkthrough.
LLM jailbreaking bypasses safety alignment to force models into generating restricted content. Covers DAN, roleplay, token smuggling, and adversarial suffixes.
Indirect prompt injection embeds payloads in external data that LLMs process. Covers data poisoning, web content injection, email vectors, and concealment.
Direct prompt injection targets LLMs through the user input channel. Covers system prompt extraction strategies and behaviour manipulation techniques.
LLM reconnaissance maps the attack surface of AI applications before testing. Covers model identification, architecture probing, and LLMmap fingerprinting.
Prompt injection exploits the lack of boundary between system and user prompts in LLMs. Covers multi-turn context, multimodal vectors, and architectural causes.
Prompt engineering controls LLM output through input design. Covers best practices and maps security risks to OWASP LLM Top 10 and Google SAIF risk categories.
ML infrastructure carries every traditional security risk plus deployment-specific threats. Covers misconfigurations, DoS, resource exhaustion, and TTPs.